23542300x800000000000000071086878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:54.992{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A682F3AC61760F4D2EE41A43C9D6988,SHA256=82F8817241001BEEE9F0ED6CD0AA8DA2464746BE364BDC6E8C644C4ABE5FB535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:36.564{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59751-false10.0.1.12-8089- 23542300x8000000000000000150682514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:54.476{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807BF1E68787E4609D1822F526C3C514,SHA256=698F9622ADC57C6D963E90EC661A0D24A05FA4044D8069F80F8D58DA7EAB8FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:55.491{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BC4679F424FBEB1EBBA70246DE6846,SHA256=53BA630128F71663B7807D52C8FDCEC30CA16770C6C19B319D20725DD7847E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:55.617{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9EA065826948D16885E15277B1DED8F4,SHA256=B29388D02E26EE20C83DDC7E1296E1E3686398D329BD3A648AA29FFB67A292B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:47.786{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54085-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150682517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:56.491{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B9C0BC153A5892F8C16BEAC7657225,SHA256=7AF43117FE7ECB193E2F698E7560A333065E91D102A013224B9B28D65225979A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:56.007{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDF6AB09360CA3BDC8AFD4D00782A72,SHA256=CE9FDCA7C13338E9E060B9737FB5E7D27D00594AC432415619273633A7A945C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:57.507{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391F383E8A4A6AAFB42671145AA240D8,SHA256=683411226600081C738BD9EADD297B6C0CAE639B5584982C412B5028B163DDC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:57.007{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C49AC0315A443194EC3288836D271D,SHA256=41EF32C918E99DCD63A7943DA77F008210E7FE5E7C1ABBE98F70AB62DF1EA736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:58.554{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124E72EEB01E7CE426E763D8E1785119,SHA256=4E0C302D9790A692DDD82FD15120C8DFD438EFDC26BEBA9D7E05F0E1208C4D01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:58.038{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2AD6D483C2267A850EC0CE714B6870,SHA256=A45D1278E5BCCAC7ECBAEAF17D0EB3C70C238AB8AA78D9F0BA7CB383B6F97377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:41.783{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59752-false10.0.1.12-8000- 23542300x8000000000000000150682522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:59.616{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A204378791361043CD3A5B0AAA7B857B,SHA256=A4A10D9B6EEFFB1DC7FEE44B20250780463F4D588B87A3E2AE86B7599908E3C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:59.179{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0961AA65EEB98E64881F7DAFEDCA6866,SHA256=BF47CE3874D4BCEF5D135DE3D825010C1D4E2E84C32E6572D9C197EA79EC92F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:59.257{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=250DF5729F676CFA575555C18E47A550,SHA256=BB83FC8AD94DBC0AE27B841C7FFB3C333B1C78C37EBA39631A86E1B137F08103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:59.257{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=072B32D23385E93FDDF10CF9837571C0,SHA256=005BE75F20139BFA50DA0B362F40BED22806C214683FBDE5E4ECF7CA4E0396B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:00.632{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC13D91C50C95B68DC02C3C6D4C45CE,SHA256=F3C2836792028F6EB91C69E96DF882FD965D23D1B5FE088CABB60E25D9408534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:00.195{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54B53976BDBE45383E72F1637A32F92,SHA256=4A75BC6CBB3B162495C2F87521ACBA03C3B932603691081FEDE06AF96637813F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:52.880{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54086-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150682525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:01.648{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0746B3BBB30838D7C2A69267ED8F8C3,SHA256=BDD2C7FE2E8F87399B7FD4ACA516510BA3D7143FC64217CAFA88835B1BF961BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:01.414{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92018BB513B2BF8C4899EED97E8C039,SHA256=AFA46D707F1BD6939C7D011F24FB188A7D306BD6F3D6A202447476A75E8E7894,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:02.492{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901A1CF74AD37DE73AC11DAF4AFDB5B5,SHA256=8B8121870B887FE1351CF4172AF636B5FF6AA5FA98BB8F030138005A1757DB83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150682539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150682533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.883{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.679{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950FF5E623962176FF297168BC230A1B,SHA256=F5988519B42239C8768F0DC7AB56C60F9DAD0B14B7AD1A9C0E22CE6FAC69A7ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.898{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=250DF5729F676CFA575555C18E47A550,SHA256=BB83FC8AD94DBC0AE27B841C7FFB3C333B1C78C37EBA39631A86E1B137F08103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150682630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.819{3BF36828-BAFB-61F9-790D-02000000CF01}4228596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.819{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.819{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150682627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.788{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFF818819A913F6FCCAF5F0AD6A23FD,SHA256=FED48D52E546508871ED9EABD9D2A8BFA0CDEF3231FDDF2BAAA459BCC2325E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.757{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8081F924CDDE29B47EBC4BEC1531CC3,SHA256=21AF4DCEC7F3A65D1F975974ABE8E674393442051377E573B032BCC9BC253AFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:03.538{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B0C5242D0DCC6C4FA9207854940D1A,SHA256=48D72EE5FB560DEDB88336CFD3C6E49E0A1070972D20C3923CF476663F5F4514,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150682601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150682589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150682584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.586{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150682577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.163{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.163{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.163{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150682632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:04.804{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4756C2921964F3991F3734AC056EBB3E,SHA256=F0D8833171975372D9FEEEE36DFDC1FF130CC9D6043C736248491C034BD37A13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:04.601{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E145F0B565EE2D5B1596E6D4631B9731,SHA256=1F59214156A2CA45AF078CFB6738C1188C9AEDB02A7AE5A5BDDB8D2FB2B7FE7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:05.729{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7F18467AC41FFBFF5C1189A7BAD2BA,SHA256=9B8A743728B0AE042CE8A601C01383C60FDDF85D1A481141F4AE065DB5567FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:05.835{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4110E94D28F73BC01B089680198218C2,SHA256=081AEB1149FF744F06F0C757EE0798A2D0A3D8BC2DAFEDC8C0A8594165A8DE01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:05.116{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=154520200A1CCA483FE8F22A73DB262E,SHA256=5854B8BABEDC81070125A58187262FF69DD2121AC6FC798682E253F73E5C4149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:58.723{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54087-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150682636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:06.851{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EB9F6FAFCD0A81781EDF1F75E76A05,SHA256=EB42772B1594388E3F4AFC40C1DB6728283A00F20D3B67C9A174F04792A2D337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:06.731{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1370C74CB19E8D4152D1C8B48F42B09B,SHA256=DE366D26C006157256BCB7B20CBEB1DACB815134C4504EDD7E499DC0D25F67DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:47.673{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59753-false10.0.1.12-8000- 23542300x800000000000000071086894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:07.747{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193E06DC9604A94DAD00F90375BE4E7D,SHA256=B53D67E4BEE9C5CCD8493049DA25BE08FA3A14D0334752A49F1494B8A81EB040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:08.856{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2A0528C0AE939B87F39F51E58D8854,SHA256=47FF523FBABEEEE59F973341299FC62BF44B8229B81E9CCCB2D86AD22EC2EFE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.679{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.679{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.679{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150682680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150682657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150682655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150682654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150682653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150682652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150682649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150682644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.508{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.054{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A923D959C755583125A25A69707DDC88,SHA256=49D77833C3DB7E53045BDCB61545B53F754F18D12B84CA6A10D331C23F24ECFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.904{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.872{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9A6E5DEEB51805E3D45258B70E2024,SHA256=DD9CE779221AE586C26EAA9C40159FA945FE9003C9F9B488E1AD2845568E1CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.218{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.866{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FACBDCB4E9A424F6A98EF3AB24D1F4D,SHA256=EAF35B22BD94A8314DE4CB6324059604FA7DDC287183C038B4AC699E27ED4AAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150682760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150682752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.805{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.601{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D002335E59141292B8FFA3740FC3B89,SHA256=6799F2915957D404FEFAEC7970805D9D424B6D0555271382AA393C01CB41BAA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150682743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}61122888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150682700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.182{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.179{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1588AED72483E15E880407BCE8105E5F,SHA256=6780D1B4FCEBDD4AEBC8757FD90BDD59D8CD4B7F52FA14B84737AFB4C37A3BA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.919{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D3E860DCB3F368BC7E5B8185E4479C,SHA256=950D90D5D230C39F76EEF9A27362EFA9A9156F3803FBA3D0E6FD7F54AF6044D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.819{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDF93C6D79EABD76C98D6154938325D0,SHA256=E396C5C5DCCA347653DBB31FEDA2B898282BD3EEE11F1D21EE03841CB3DFE30C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150682849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}35485716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150682806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.492{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.226{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D8EF85275D6C2A4009D2CD299CE5F5,SHA256=49993DE1083D0600A0432D7DF6843A23E2B36427312A31E4111A44AA8995B125,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.592{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071086916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:03.870{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54088-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071086915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.263{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C5D168E12C3D9D0ADBF869A33B7644F,SHA256=1BB29BA83DEC31B6F6757B0A56E0A3F66A234916E4DFE118344E76DD78957B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.263{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20D9B05C9F8692F669ADC913DDD3B687,SHA256=F8E75B2FB4C4814590ACFA32CEF84C4A9132F0BD4AE38D4A0098CE3F347C89F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.138{B81B27B7-BB01-61F9-480D-02000000CE01}20641548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.007{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150682797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.007{3BF36828-BB01-61F9-7C0D-02000000CF01}3836712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.007{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.991{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071086927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:11.935{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7012E8927C03A441ED0AD709C69FD213,SHA256=8015C9EE6C2C4D56E06364BAC0C161A2FFD2CBB4D0B3047BB49A49D8DC0F6717,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:11.460{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCA320DAEE479D2B9FF0048301976B7,SHA256=32D3C3A8CD537E20A0B08B98E66E939A3D6750C709A66BF3AFE5F94566151716,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:11.653{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C5D168E12C3D9D0ADBF869A33B7644F,SHA256=1BB29BA83DEC31B6F6757B0A56E0A3F66A234916E4DFE118344E76DD78957B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:12.935{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7C093DDD3F218AC0F36FFA2E589B42,SHA256=BFF06CC9E4333E648017AFA4F6E3B514186D62DFD756FF742E06D68FE6DC2562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:12.476{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521DD6BE3B86F9AA39647EA5CEE2D0ED,SHA256=DB6A638AFB5919D764C540D8ABE40FE3ECB9BA4BE3848DF4EBAB6C3DA0B29C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:53.627{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59754-false10.0.1.12-8000- 23542300x800000000000000071086929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:13.935{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E010669F248B705CD4296A9C3FD1C77D,SHA256=1095D3C4DB55F7D01DBC1A7C56612BDA40139C72D2CF80B7DF4C07D0E3C319DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:13.491{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1695716B52625F6A344E1542F0D313DE,SHA256=C0E4A2C2150A4DA78565EFBD27CF851D1045F2FD83464A9036ECE4F88DD344A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:14.507{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF915ADA0FD26AEB265042D156A0D1E,SHA256=C86C053F4576E2A0343EECCDC8D96BE4DFA5F41954CC3E6EE3B5DB19563C9796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:15.538{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45538CEAC3B12555070D654D2EF2BAA,SHA256=5E5D63ED6F0D2C8B6C388DC564C9A4B2EB659C7AC89A6D75AA3752B6E496E55B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:15.153{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E5801F1E22A725E4163F6986ACC42A,SHA256=190FE7C529D9896BEA075ED5E8DA85B6E3B3A38621D33E41B6D1DDDEF53A5353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:16.539{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC91FE1C768B36E3B0690A06D3535222,SHA256=F786499A18D71698E5ADF34F413964DC399F8842483188AF5266C08D008EEC37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:16.154{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3C782874267F3949B5C291BF0BD158,SHA256=CF52F7AF923073BEC72C95A34F219277CBD0090E3C3C04BB2826520DC327C3BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:16.163{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E2D0E66F1D3E6A507532A1FCA288D2,SHA256=74E927611418295C202D45B9E35FDB6FEF704C34123044AD01B9426E32CC463C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:16.163{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A849887278B8AA8268DA48A7EC621D,SHA256=913660FAACEBA5852A101CC3D2F4908277EC6A771A9662877C89E19C51650077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.727{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.727{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.727{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150682895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150682878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150682874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150682869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.556{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.555{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8133A6FB2EFCB695D520F69536BAE9FF,SHA256=080280EF2804D089368A2E5DB6711BEFECD5D825ED08E4E625A17CED9D419D5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.776{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54089-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071086932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:17.231{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF38E15F3E749A742BBE4E5A3F983AB3,SHA256=A46F253F573361AA39A633A1D08567F3F33B17DEF61F09E07C203CDD77517EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:58.689{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59755-false10.0.1.12-8000- 23542300x8000000000000000150682915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:18.883{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A635C2AC1BF064E826F30CE85067D5DD,SHA256=5A87CA286E84F1CC94D37AB29644450B2D0129064A4819A99F3F38C1CDBB0454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:18.571{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E2D0E66F1D3E6A507532A1FCA288D2,SHA256=74E927611418295C202D45B9E35FDB6FEF704C34123044AD01B9426E32CC463C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:18.247{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369BF7B2CBB3EA738912AB02CD40845E,SHA256=2D019F681074E34AE8CDDD32A9EF1FC691FDDEFCA65BFAC3114894E6A1688914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:19.664{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE81D16022C304EF943E92E7A8DFCDA,SHA256=30166FEF8C99378670333A0A77D72F6C34CA2046C034C14EEBB2E6F3E060CFB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:19.294{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6ED0E6E2802E99E02E76C23850821A,SHA256=C354FD69E704F274AA31EACF3028E7624D623E256490FE4C566222293020B968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.997{B81B27B7-BB0C-61F9-4A0D-02000000CE01}41844656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.779{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.310{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E891203967425B7EA70414DA28B451E0,SHA256=0586FFBDB093BD558C65B773568834F047CED6219E6F212CC378AC0CBE6A6293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:20.696{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1BE9B00A45C6C05F137A31726DC990,SHA256=CD20FE639CCA5C53C4D428EDEC95128CC1BD58F93BB427E49E7DD481BED50995,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:20.305{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CE4C651BE21B0EA92F6DC17A83489C44,SHA256=86A9CB2B1330F00247BF16E668C35D9C535300FBF43F88CE7F746A8705708292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.856{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747C13B142E9D9A29FEF77FF563C4814,SHA256=142519DC38376B0121D983CBEB877808D6C7ACD9359DEB8EA85668215DFD2CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.856{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=954D3EE946909E3E3E91AB7E5D791635,SHA256=93980D6C94FC5C430AED44C832E10CCC3E2CFB0A57439B3D66913021E642B1E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.685{B81B27B7-BB0D-61F9-4B0D-02000000CE01}42164204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.467{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.466{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E170249332516D076BD8478075816186,SHA256=A84D8CCAA717EC58B8A3DB6CA062BCAC04C530B9994ACEC14C32CAEEDD1F3ABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:21.743{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE87B95E26B52C187EDA9C1ADCAA846D,SHA256=579378360383AD2DAF3E8641891370BE3FD06BEA6C01815DCB1FFF476B77F003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:22.758{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB457E745548437E6776DE4A66CCCCB4,SHA256=BD8E1AF76491C344043975238B9574EEFE2F34B69E10162DE4780509EFE3177E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.841{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.701{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7D939F7B13DE6B857AE53206190801,SHA256=211F40752044798C5B495803D921BE4D534B59B5AC5571F9FF2CD9A26E6AC93A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:14.807{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54090-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071086966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.419{B81B27B7-BB0E-61F9-4C0D-02000000CE01}50283844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.185{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.154{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150682921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:04.721{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59756-false10.0.1.12-8000- 23542300x8000000000000000150682920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:22.180{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F52E2ED21653848069A683FCE893CE09,SHA256=E3A1D7FA60F2703755D2443788E60BD2E2AD893231A813CA26DA21C4CC2E0E55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:23.774{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7422E0664A3760FB6B6BC9F9FDA27EF8,SHA256=F1A44AD934AC5EE7701B60AC89AC06BB81B42D3CE3D396B4B68E93B5621AEABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:23.731{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B54E9AA785E94C95344879AC39F0E9,SHA256=A6E5FB027B11BFEA6859C28B9C32C06109EF24058F680D59768CF3E00819A572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:23.169{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747C13B142E9D9A29FEF77FF563C4814,SHA256=142519DC38376B0121D983CBEB877808D6C7ACD9359DEB8EA85668215DFD2CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:24.789{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54F11DC169045215DC94C620FA142AA,SHA256=19E3D52ABDC4C38F9DEEB7CF488A7DA03D6BD353C510BC4780BA254C2037861E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:24.778{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D83805074C2CD97791CEB046A5EB5F,SHA256=8585BF8A0057716C7F4339153D5C9AA701A084EBCCCBFCCB62FD0F51D6C77D34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:25.821{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69F37F1962FD5BFAE0BFF409E43703B,SHA256=587D446B34308218DAADDE349C0D8845E3BAD3BF9E03AA7C87BA8550679682DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:25.810{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597BB5EC2151294E251B3678A848E255,SHA256=898A9854ECF28BE4FA9E5887AE5880DFA08B2613BC1263BBED0E31FFDADDF135,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.888{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51F588A201DD4D6352896DDF75407DA,SHA256=3774906EB2AC382774BB88259E31F5F2E8071E0E796C5DB9969C29497E68BD43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:26.836{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9224756CD66406A520190FC2131798,SHA256=E882B2AAFB0B910EE940D7ACB5D47344694E0E27C937C27BEF2A10D5060749F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.716{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9560CBFB6C6DDD4F333446EEC44634,SHA256=B16C45D96B043D997FE2D6D0BF46764664C4B1DA516C0D09E932258D7DAE0415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-4B3A-61E8-2100-00000000CE01}10764576C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-4B3A-61E8-2100-00000000CE01}10764576C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000071087020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.669{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37404872C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37404872C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x800000000000000071086981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000150682929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.852{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6FA47EAC8FFACCBB9009A67C9760CC,SHA256=97F2DA2698EF12720033C15C19BEA1177324A9E267328D37AE1F2971DF7567D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x800000000000000071087064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:19.838{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54091-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.794{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722656C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+f6ca|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000071087056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.778{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722656C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+f61e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000071087055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-4B3A-61E8-1400-00000000CE01}921796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}3740876C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}3740876C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150682928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.368{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82431A8B31343BE052039274B158CEA4,SHA256=559EF84D814E438BBC6DD36DE7063847F774E38A854DF66BAED24C0081E717AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.368{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22792713E6F9F17931D885B0994457F6,SHA256=0C65E2A1624B2A91E06EE893E3835B0F0277DB95071DA906E9EBAD3FA49BD1AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:28.883{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175286C8DFEC215ED5E47DFE5536329B,SHA256=AE95D694CE20FC81A0BF32FA001BDCE5D023DA1A8854C5EC7D286FF863079004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.923{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3BDC1CC0DE2B402FC039E5CA243DF1,SHA256=BE106CA53C16A0238138FE5762FF409A59E90A45159A479467F0C52FE1CCF3FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-AED0-61F9-AF0B-02000000CE01}21362040C:\Windows\system32\sihost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B3A-61E8-2100-00000000CE01}10762436C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B3A-61E8-2100-00000000CE01}10762436C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x800000000000000071087114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.220{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C1C27091B98EE5D09F33C6C321ECF3,SHA256=B8B9351E4B511F7B35D1A128C38065968EA5B3CA94A2DC8AABD358BB17C7B881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.189{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150682930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.783{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59757-false10.0.1.12-8000- 10341000x800000000000000071087101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.189{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.157{B81B27B7-4B3A-61E8-1600-00000000CE01}11962840C:\Windows\system32\svchost.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.157{B81B27B7-4B3A-61E8-1600-00000000CE01}11961244C:\Windows\system32\svchost.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.157{B81B27B7-BB14-61F9-4F0D-02000000CE01}50205068C:\Windows\system32\conhost.exe{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}3740136C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}3740136C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}37403860C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c97|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db 10341000x800000000000000071087086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.132{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000071087081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000071087075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000071087074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000071087073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.079{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48418D6F5BCD5DE14149A391DE0B864,SHA256=194D1B882D9D1CCD39EE257D47A98B22E217AC8BF28B4B6FD93C971592842CA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:29.883{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AA979F7A5B1181131EB58E90C3BA04,SHA256=F00DFCE5DE226D3835995515A65ED23554F03C062BC460F84BA207CC0EE1D60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.939{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7C2D68D929CB9DCBA3C1B7CDBD1156,SHA256=03930FBF7A152E4160092F7DBF12B4C2A4E4E9D3A177AAA723D4E0A43622CAFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.361{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB116445473D8EE44C394D1E7D037AB,SHA256=8FBDB11B52D4FDE579ECFCA208C2D92C579432690AF93CCDE5AA8AAAE773AA4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.361{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D60727BFD1F03586148400CB22C68D7,SHA256=4A93022BCDED3FC771CB0C8E3D2AFC54504CC1F1FC0C117135E5FED7E9E99CBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:30.954{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BBBB0D3B12D70DC1541F65CABF688F,SHA256=76402102630E235D9F91505AFAD8459363039EA91D4906757C034301792BA1B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:30.946{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4460264FD458B83337DBC6A7050D4BE4,SHA256=20487BAD282D0EC30D32B4CB3FC73852F000D23C46973CACC75D064AC3A9825D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:31.970{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC01CFCE0442B2AC05EAEAA390496B06,SHA256=E34C4CB66B84B31F9D6EC461BAD85649C1FB2F5126B35D3B895A793FC5AEA6A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:31.977{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E85F2308CC63C49B90927C8C002A8D,SHA256=646D486218ADF55F56EAA9C718CB8BFD76638DF74DDBB3FE78CAE728464E7EB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:32.986{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B07537BD4EC8EAC11CBE1DF1CDA3A1,SHA256=3600E2BA71E4FD2AE257ED98F4F0EE1183D789A061550D332282D4CDA7F4F77C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:14.815{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59758-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150682936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:14.815{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59758-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150682935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:32.274{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82431A8B31343BE052039274B158CEA4,SHA256=559EF84D814E438BBC6DD36DE7063847F774E38A854DF66BAED24C0081E717AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:15.690{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59759-false10.0.1.12-8000- 23542300x8000000000000000150682938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:33.024{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923B8AE08A4DFDF78095D473A5FAE790,SHA256=332B8842D9059DD1F324D516E394E01EB5B451187E52A83A6E3129DE8C186838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-AED0-61F9-AF0B-02000000CE01}21361832C:\Windows\system32\sihost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.329{B81B27B7-AED0-61F9-AF0B-02000000CE01}21362532C:\Windows\system32\sihost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.329{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.314{B81B27B7-4B3A-61E8-1600-00000000CE01}11962840C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.314{B81B27B7-4B3A-61E8-1600-00000000CE01}11961244C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.298{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.298{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.251{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.251{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.251{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x800000000000000071087133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:24.874{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54092-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:34.267{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB116445473D8EE44C394D1E7D037AB,SHA256=8FBDB11B52D4FDE579ECFCA208C2D92C579432690AF93CCDE5AA8AAAE773AA4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:34.017{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C887A343FC163DDEB50FF031A9A2F1FD,SHA256=2DDEC6CB23F8254438541934DDA0799523EAEA2395545E460745E76B988CBCA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:34.055{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417861362C134256C30521E25A64E556,SHA256=CF5955C844527067F0BE5E3FFA587B221B13D29E6CADDB7F697BEE569CFFAF7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:35.086{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AA6E68FCDAB436147177B46AE4869C,SHA256=8C86D7954CBC81F960BB7CD4B5D165100B7E3212313D2FB5D3D7FF9D96B1E3BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:35.064{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDF5AEE72AE1D6DDA3AF00BCAD7E9D5,SHA256=11EA366317FBE835F3989F9D3C053CBE0CB0F83BDA65EBA7DD4A5DA07ADAD91D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:36.133{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3AA999A313FFC6B83F22E279DBB0D0,SHA256=EE213B3F1B14FAF69303F5A52AF44152C24C9F0E5F6ED37B7B9E253D100122A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:36.126{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CE19E52690AD5C41C6704291296F14,SHA256=48533172ABE4E7325C3CA1D08B6A7302A2FDA4E7BFCE023B8C66DF368BF84FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.920{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54093-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:37.157{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B7BA0A25D8973D2061949AAF974D86,SHA256=684C9C9C20440D78A3CEF5CAA5C1CBE36EAEBABD2F63045D68A2D9F10C31E23D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:37.149{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2AB9059C4A24DCEB8F12F838229FDB,SHA256=DA7A81021AFCEF5EAF2A5ACFAE13953E678B63603AC1783DADD0F57A54D1A3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.893{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+17d743|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x800000000000000071087175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.893{B81B27B7-AED0-61F9-AF0B-02000000CE01}21361832C:\Windows\system32\sihost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.893{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000071087165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.173{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54FA7BB1952FACAF649DF0E0B138713,SHA256=BC80B43DF4D636562BFEFA7076C11E68E0E03BB827FADED1552E7EF447D549BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.149{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2EB0A6269D4718542A6CCA3DA572B0,SHA256=E20CE210008E0DF30D586EB9AB4603D616C9B0CBFF772DAA808107F1E2E0C775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:39.204{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16402D1CB5B7B5F5DE5EA922DAACAE2,SHA256=4D268795241B2D59A56023D6A12D17ED24DF6229C54A4F7DDEF3D8407DE986D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:21.721{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59760-false10.0.1.12-8000- 23542300x8000000000000000150682947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:39.196{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583486A226C790E0A990321824D0AED4,SHA256=D3F9284C19309A015FCBEA77DBD0615DD3C1A30B6C8F74A50AC9C3C2D9784BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:39.196{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63674D88C0AF490A4BDF12F516317956,SHA256=B2B17B1606ED2730DCCAE6E24E772D5746F77CC12170CF867E9FC7C2955884DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:39.164{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A5DA4CC00D78D33E10C56D8120CE6A,SHA256=6973FAD78B13300A93374A3678B5B6D48901F13209F98DD5494C29C3ECD1723F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:40.180{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE81D47F1DBDEFFB62C04BC746A0E89,SHA256=DA968869D028D4EFB5188DF2FE358D246EB1FDB575BF7870D0926105561C9684,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:40.220{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91135E8C21DF3DB3C2C27D4E9557FC60,SHA256=D8A33BE97B444E0C7E5ABAE0F86101E560F656525FD3331AD7663D3A03D100AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:41.236{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E6D5461AB84AA5858E0093C6CD520F,SHA256=85282056E19F6C7BED3B364AD163EE31676B347AE43EE6DF298386CCFF9363E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:41.211{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC379BBD040F740EF279B53B59EC7BF,SHA256=52EC1B2B9F721AEE3AC0A4715161C5F72A19292FCA144861EA4A33765E80E397,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:42.236{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45C9270ED854EA5FF0113F9207092EA,SHA256=018EF5B3DE5C4EDEF0F2E34AE4E4270FD800CF51143D4959F5E8F6795B2B7B3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:42.258{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEEBD13D1E25286F4EB6F820D6C1B39,SHA256=B2C47125C189E945C118D91ADBCEBB4B76475D32349F3520CE4CF278814777F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:35.733{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54094-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:43.251{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E47622096C6806FA69284874494AA8D,SHA256=4CFD06EFCF4A7FB726C858AA3A9FAD679C85EC6E30454938B51965F87C19A71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:43.289{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D5B444583A4A978525FC6D7F1D34E9,SHA256=2CFBED9000FEF020E8AA9E4B5BC45B38322243CCEC6B6F29B6F62A41690DFD7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:44.282{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB26CACBFA30192DC75E50D70EA45228,SHA256=546D033FB25ED52BC8718EE98F80EF5E119B9C141C69CFD4D3AD7DD866743B83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:44.291{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DC48D3FFAEFF0E906779C243144AE9,SHA256=47B947BDEE33E9551D3CAC0899B8E6372CE8FA7A4ECDE0E61858B35552F4B71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150682955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:44.181{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000150682954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:44.166{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x8000000000000000150682953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:44.166{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000071087184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:45.298{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E18C38DB58634146223BDC8039D1129,SHA256=BC733E2BA7702FB422C04458B97E287261C7C5FB35D6896916C78E0A2827C6FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:45.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B67F82CFFCF9CACA608ACF384594B4,SHA256=FE4108F83E032D7DB6D830BA1C66A027A09F6E5F3F52BF0EEB28530970FDB72C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.739{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59762-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000150682960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.739{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59762-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000150682959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.660{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59761-false10.0.1.12-8000- 23542300x8000000000000000150682958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:45.091{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032D8131BC08483160A2B762CDD6587B,SHA256=8E1B8AE1EE45074B757F085810E76187DEF9BC3EF2FEA5E534B9F18876FD7810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:45.091{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583486A226C790E0A990321824D0AED4,SHA256=D3F9284C19309A015FCBEA77DBD0615DD3C1A30B6C8F74A50AC9C3C2D9784BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:46.392{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874A5CB92C9B8C6162711389FE7A7E06,SHA256=3D907FD8036BE2E906B76FB2D32B975AA0B06F864DE0AD08676403B5A97FBEA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:46.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322AF92843B527066353C6B155525E6F,SHA256=E030DEC3DFBD515B9EDAB380E3A7542EAA2F96D1CA366CB160E6DBD2B1020DF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:46.142{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.762{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59764-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150682965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.762{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59764-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150682964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.755{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59763-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150682963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.755{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59763-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000071087188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:47.454{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FA3CC53609A606806B4739D2D70A52,SHA256=2A4041F350B529594DAF35B0298C956F13AA2DDD804728F80970CEFBC2059C98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:47.311{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E06C3937B14511106B3B78942B505E,SHA256=F60AAA923E834AFE07AC46A701081D105581BC179327D92D856307AA52D8737B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:40.795{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54095-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071087190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:48.470{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5830BE8983C8A1D13788B5B81A18FAFD,SHA256=4874921936B2F307A9495799CBFAF42780E8B8EE06952F631B9CCF4716626D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150682975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150682974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150682973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000150682972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150682971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150682970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 23542300x8000000000000000150682969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:48.325{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315E67730CC03FC46C0339CA8285189C,SHA256=587BFBC21F94270EA19EEB592297BD2CB529859D8D5AF882A1BBBE33BDC2D946,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:40.858{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54096-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:49.704{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF860B281B642655DBEF36E9ED53FE4,SHA256=BE25110FCF4EC26A2127506E9E485971C850BC5A4C817513CFF36789E807A543,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.778{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=4849E9F93A0F34EC87F82E26049B47FD,SHA256=ADA89724741D0053E8322199764BDF5B39F7B94C0D973248D5FC7AF2F59C8590,IMPHASH=FA770D60A54EF20694B1F385EAA957B5trueMicrosoft WindowsValid 23542300x8000000000000000150683084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.388{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6681B258FC7F0BA4C688D4D9D68D3E,SHA256=EB16908C55CF32DCE6030FBA25A84B16AC67762D1360224D9213963A830D3491,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.356{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36DC8792B0D8D6C446070ED981B697E,SHA256=C4C053F2CD177B5B74CC6152BF500B909CA77A0FAE8FA5C7815ED3722806ED25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=29909D3B662A429603C439A25717C213,SHA256=1C83A5D03C17235C3249936859F101C2934B0A7D569553A0D97C97A332ABE1AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000150683042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.219{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 734700x8000000000000000150683039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000150683038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150683026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150683018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-DC57-61EA-584E-00000000CF01}10405080C:\Windows\system32\csrss.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150683017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674trueMicrosoft WindowsValid 10341000x8000000000000000150683013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.177{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{3BF36828-4B39-61E8-0C00-00000000CF01}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000150683001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150682998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.201002-1707)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=C82536B6DCD3370E13D1D34D4A05F13F,SHA256=CD636DCC4516803B77C2CDFECF3A14ADF25F7A8B00F23F1D57A7BA7BD87663DF,IMPHASH=D7A4AD00167880B37A17C79825E9F4B4trueMicrosoft WindowsValid 10341000x8000000000000000150682994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.153{3BF36828-0669-61F8-11DA-01000000CF01}60685572C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.153{3BF36828-0669-61F8-11DA-01000000CF01}60685572C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.107{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.107{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000150682981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150682980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150682979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000150682978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000150682977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000150682976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 23542300x800000000000000071087192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:50.798{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC754444241EC2EF844A004A66C0836,SHA256=7C586A4100E6D3DBA930D236C523772E91D1D9B021AE340349EA72EB2A31A098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150683090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:32.772{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59765-false10.0.1.12-8000- 23542300x8000000000000000150683089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.357{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D40ED491AEA70F58A3A6E2F726795EB,SHA256=064F243E9EBA8B35C07EFB605A2A693D2FF6E7965CA6340BC1F40FFDE58404AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.060{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032D8131BC08483160A2B762CDD6587B,SHA256=8E1B8AE1EE45074B757F085810E76187DEF9BC3EF2FEA5E534B9F18876FD7810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.028{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=66BEB7067473CCA520E98F673B03CC86,SHA256=D8846E9D2AD8C6958D4B1B00AA6705BA64FD32EB012CCCFAA8429E9C444D44B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.028{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=BACB02DD435925B85171158E64713109,SHA256=14A8B516E2086797E0D25DCD822BDCA4A05C2D8FCB597FBF679F8076AC36E6C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150683092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:33.482{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse72.43.121.44rrcs-72-43-121-44.nyc.biz.rr.com44952-false10.0.1.14win-dc-128.attackrange.local3389ms-wbt-server 23542300x8000000000000000150683091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:51.372{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72876A79336236B4D0CCCA002D32A49F,SHA256=0BD2308B9A83E5AADAD9C27F8ADD5E83273673D80F12078A3EBAED38977338E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:45.873{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54097-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:52.032{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E15CE4485A1709CFC7E991F8097B76,SHA256=2F0F03EA6DF0AD308A8865064F02F4CCA9BAA6191482A0E165E7877B308120EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exeMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3trueMicrosoft WindowsValid 734700x8000000000000000150683223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 10341000x8000000000000000150683221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 10341000x8000000000000000150683211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-810D-02000000CF01}25243744C:\Windows\system32\csrss.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-820D-02000000CF01}912308C:\Windows\system32\winlogon.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.971{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3895855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exewinlogon.exe 734700x8000000000000000150683204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150683203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\dwminit.dll10.0.14393.2273 (rs1_release_1.180427-1811)DWMInitMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMInit.DLLMD5=2F84B6415D918374A67E50BCE01C3CA2,SHA256=D6A64DE0BFDD504D9C57760F8847EEB3F637774D958BD9D52F000B66EB2AD9D2,IMPHASH=8A9252872C3861ED35BE90BB3A9E6429trueMicrosoft WindowsValid 10341000x8000000000000000150683202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000150683198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x8000000000000000150683195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\UXInit.dll10.0.14393.0 (rs1_release.160715-1616)Windows User Experience Session Initialization DllMicrosoft® Windows® Operating SystemMicrosoft CorporationUXINIT.DLLMD5=3803D95BBCB88A09B1F4043F77B0A52C,SHA256=C7B7522CA9BA3F683ADCFB20AE30533B34E4FC91BEDD283E93D0B733E6B97049,IMPHASH=ED2AB7D8E1273F7C87D4CE77B3E62340trueMicrosoft WindowsValid 734700x8000000000000000150683191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.935{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.935{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x8000000000000000150683183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150683178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.826{3BF36828-BB2C-61F9-810D-02000000CF01}25246028C:\Windows\system32\csrss.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000150683177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.826{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFBE502D1EAF6C2EEB6A4DFF5753CE43,SHA256=1AA77ACEC268E08E8591903CE3B3F5D0F2F68DF66689F2D86839E03A407F9567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.810{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062156A9AB92B129A13CCD04C73F1113,SHA256=E5F63DD0640899ED4B0557545DF3CAEB7EF0F8B884DD7AAC7B3B557D6298C837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150683175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Mouse0 13241300x8000000000000000150683172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Mouse0 13241300x8000000000000000150683169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Keyboard0 13241300x8000000000000000150683166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000150683164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Keyboard0 10341000x8000000000000000150683163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000150683159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150683151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000150683148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6DtrueMicrosoft WindowsValid 10341000x8000000000000000150683137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150683136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150683135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150683134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-800D-02000000CF01}52645240C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000150683133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.633{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c 10341000x8000000000000000150683132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B33-61E8-0200-00000000CF01}3204744C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150683131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\sxssrv.dll10.0.14393.3630 (rs1_release.200407-1730)Windows SxS Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationsxssrvMD5=6544F8B9914C8EF44FFD2965D6D6C4DE,SHA256=B9FB6A183039AD35C0BE6D0DEBCB4618E15CF17D385E4886ED457DA23B31AB8B,IMPHASH=00AF6EC553770FC264FB6B6AB7AF069AtrueMicrosoft WindowsValid 10341000x8000000000000000150683130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\winsrv.dll10.0.14393.3686 (rs1_release.200504-1524)Multi-User Windows Server DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsrv.dllMD5=7BD8CD73F08B93E856BA2F7E6E93F6D0,SHA256=994340D9BF1DBE04F33544DC8FC4B1F72695AD5054F3409AA5F26743070DE55B,IMPHASH=C8D1A6852C2C1ACB144F54DCE583FF51trueMicrosoft WindowsValid 734700x8000000000000000150683122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\basesrv.dll10.0.14393.2969 (rs1_release.190503-1820)Windows NT BASE API Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationbasesrvMD5=E57547B04ECB8873391616364E94B1FD,SHA256=6A17093974B9F90EC0C18208DD620E63656C86027B2C26EEB05F0606584AAFA2,IMPHASH=37B4D578B2264868FB6A98DD88658A34trueMicrosoft WindowsValid 10341000x8000000000000000150683121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\csrsrv.dll10.0.14393.187 (rs1_release_inmarket.160906-1818)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSrv.DLLMD5=F1E2170B311D75405C53DFDFBDB6DC01,SHA256=346BBAB08F552E1DDBAD73DDDFC667CE211410C06CDF84C85E12B7CFC579E7C8,IMPHASH=483DAC0149F3BEB9F4281D2B8414EB83trueMicrosoft WindowsValid 10341000x8000000000000000150683116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.ExeMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6trueMicrosoft Windows PublisherValid 10341000x8000000000000000150683109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-800D-02000000CF01}52645240C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000150683108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.618{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c 10341000x8000000000000000150683107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B33-61E8-0200-00000000CF01}3204744C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150683097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exeMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724AtrueMicrosoft Windows PublisherValid 10341000x8000000000000000150683095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B33-61E8-0200-00000000CF01}3204416C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000150683094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.594{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c C:\Windows\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{3BF36828-4B33-61E8-0200-00000000CF01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000150683093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.388{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67274C68DFD54ED5A902B2381B85E62D,SHA256=CBB51A2E46662CC2FCCE918F6CA484ADF8C432148A199AAFF8709B80C232DEA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:53.032{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583129FD41166BBB82F8596292FE20F5,SHA256=E1BCFC6A4859E3C87E166EAD92BADD4D50657B498E578A95C7BAD680C35BAE96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000150683626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 17141700x8000000000000000150683622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.903{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.903{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000150683573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.810{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 17141700x8000000000000000150683572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 22:58:53.810{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.810{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000150683570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.778{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96883078161E9D157FB59A17C2BD1705,SHA256=547ECC57D1C84E743FC56EFCBC5BB325699FED5C74389D757AB8D06783630396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-DC57-61EA-584E-00000000CF01}10403432C:\Windows\system32\csrss.exe{3BF36828-4B39-61E8-0C00-00000000CF01}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-DC57-61EA-584E-00000000CF01}10403432C:\Windows\system32\csrss.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x8000000000000000150683567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000150683564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000150683561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000150683558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000150683556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 10341000x8000000000000000150683555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000150683539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150683537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000150683536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000150683535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000150683534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 734700x8000000000000000150683533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.653{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\System32\svchost.exeC:\Windows\System32\pnpts.dll10.0.14393.0 (rs1_release.160715-1616)PlugPlay TroubleshooterMicrosoft® Windows® Operating SystemMicrosoft Corporationpnpts.dllMD5=FFA44FD7FEDA32632E8CE84AD0F9101B,SHA256=2A0746A7876C1A430F9C9A5BE4BE28CAA2FF4F73477651AE5CC74462278F333B,IMPHASH=2AF0358C9B643BA1C759C9C883F150F5trueMicrosoft WindowsValid 13241300x8000000000000000150683532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150683530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000150683529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150683527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 10341000x8000000000000000150683526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.544{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.544{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150683516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 10341000x8000000000000000150683502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.481{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\PhotoMetadataHandler.dll10.0.14393.4169 (rs1_release.210107-1130)Photo Metadata HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationPhotoMetadataHandler.dllMD5=6FB0850ABAD1E8FDD1F662FCF819262C,SHA256=3EFCA956A159AE40CE292607EC59E4D258BDE13EAB51AFEF270FE55154CFA26E,IMPHASH=C204FCA51D1E4DDB2A7903D799C90765trueMicrosoft WindowsValid 734700x8000000000000000150683497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.481{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000150683496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.466{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\FontGlyphAnimator.dll10.0.14393.4169 (rs1_release.210107-1130)Font Glyph AnimatorMicrosoft® Windows® Operating SystemMicrosoft CorporationFontGlyphAnimator.dllMD5=3179BAF869C1815F2A39438DD5EFD620,SHA256=7A89DD1B6F0DCF16AF14A03EA04718DAAD8FE01E97C61933BD81E6371251AA31,IMPHASH=50CFAE7BE5DDFAF9B3957BA4D337BEADtrueMicrosoft WindowsValid 734700x8000000000000000150683495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.450{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 734700x8000000000000000150683494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.450{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.450{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 23542300x8000000000000000150683492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.403{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07B5FF2147DAE2EE646357BC543F09,SHA256=400296849D7109A8CA2F49EB1C8D6FD942DDB0BC162FEC163A3AA3A65170DD82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.278{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881E4D430632AEB174BFDB565EF65242,SHA256=7ADCEC31B37FC42A495FE4A2BF9F3EF8EC6E2D492CCAC482C4B84503DB86FC95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\threadpoolwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows WinRT ThreadpoolMicrosoft® Windows® Operating SystemMicrosoft Corporationthreadpoolwinrt.dllMD5=4D271D6FA08E19B78A99F948FB012F44,SHA256=92D9A5BC0F95FDE6BA83D17925122815BDF3803D949112852C3D97CFBA16D219,IMPHASH=0E03F54121A53AD6BC839C0721A3CECCtrueMicrosoft WindowsValid 10341000x8000000000000000150683481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x8000000000000000150683470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0F00-00000000CF01}1005056C:\Windows\System32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 10341000x8000000000000000150683468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\IDStore.dll10.0.14393.4169 (rs1_release.210107-1130)Identity StoreMicrosoft® Windows® Operating SystemMicrosoft CorporationIdStore.dllMD5=C361C32146F8C2E67168CFC076DBBF55,SHA256=D27DC85DE98B5C85AAAEEE1FC2EBE0F92B53F82F35F0AC6A49ADAE83456C0740,IMPHASH=E5FDBED6A52D2B5010634A77EC08AD4DtrueMicrosoft WindowsValid 18141800x8000000000000000150683463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 23542300x8000000000000000150683462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.231{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAED08E1835327F08FAD292D17B70C3,SHA256=0B88A584CD25EFF8620FCCE100A8C6ECFF61E5C47EDA216E1B27E01C3E62E9FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x8000000000000000150683460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfsensorgroup.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Sensor Group DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfsensorgroup.dllMD5=7CB78A0BF4D6AEA6A4C367DFC7645CD0,SHA256=5504F29CAE19AF9A98D65508A350F518AEA1C66235029B1881CA765146E92D99,IMPHASH=86C22AEFE3E4067CC0F34A1D80C38807trueMicrosoft WindowsValid 734700x8000000000000000150683459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x8000000000000000150683458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Media.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Media Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Media.dllMD5=28B4EDF53317E0FFA2452AEEC47C4183,SHA256=849608262794A5270B0A22A7412B77C2826E807DC6EA932E5D08451ADDB6078A,IMPHASH=88691B5201F0FCC6E05D2593797A195AtrueMicrosoft WindowsValid 734700x8000000000000000150683457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=CCDEFAE1F31F9F9AED64686A143D3D0A,SHA256=CF96EB0C3422628398D218152A729221C0F5D09F287E083AE88ECD77DB2C11BC,IMPHASH=B96B407351B4F23871E4087C6E937148trueMicrosoft WindowsValid 734700x8000000000000000150683456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\samlib.dll10.0.14393.0 (rs1_release.160715-1616)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=4C413FEDB1B88DA18059890CE0BC95D1,SHA256=FAD279CE82D1616A533D6E5D3A20543B51FDBDDE4C764E09F6A01C8B0E44218A,IMPHASH=BF11630905AADA27934CD5411323FA5BtrueMicrosoft WindowsValid 734700x8000000000000000150683455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\shacct.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Shell Accounts ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacct.dllMD5=6C3405DC9DB5740B6B2AD3AF67031A2E,SHA256=223153AF2A71D3549CCE25D3EAA294DD44471EA8A0733E5AC1EFD7D99D03886E,IMPHASH=F9EDABA9B540C273AC125BA9D119C3AAtrueMicrosoft WindowsValid 10341000x8000000000000000150683454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0F00-00000000CF01}1005056C:\Windows\System32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\rtutils.dll10.0.14393.3930 (rs1_release.200901-1914)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=7F8BC94C915BD52D3422C5AD11389CEF,SHA256=68012DC490FEB77A313007FB1C3EC3F158A5C339AE620DC869B192EDAAED545B,IMPHASH=C5AA2478104DB535756B980DF0497145trueMicrosoft WindowsValid 734700x8000000000000000150683446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\rasplap.dll10.0.14393.4283 (rs1_release.210303-1802)RAS PLAP Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationRasCredProvMD5=3F09354D09FC8331BB5F8B1D1ECB4503,SHA256=EA48272DF75B81FC14CFCF7CF2FA11E3CE921E18FD5B1FC475C1231C3CBD520F,IMPHASH=7EB175244ACD110A7447F926DD91F627trueMicrosoft WindowsValid 734700x8000000000000000150683445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\wlidcredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Account Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationWlidCredProvider.dllMD5=BFDFA8D6CE74D72FC3CAC3E8B6D05FB7,SHA256=172538FF3768FA97A54D4B33B7E3253F568013DF9F8102E023DEFF4CA44B2BBC,IMPHASH=AC43D6C08681C0DFDC982DCBAA555A68trueMicrosoft WindowsValid 734700x8000000000000000150683444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\certCredProvider.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cert Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCredprovider.dllMD5=5C5920708E3A7386E3FB97F06A1CF6CD,SHA256=2CEBA7FEC4C2DA3384BE80CB70C5AF04F45727BDA3DEF9A79F478B071AB9FC0C,IMPHASH=A01F108876C25B588A60F1407EC75717trueMicrosoft WindowsValid 734700x8000000000000000150683443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 734700x8000000000000000150683442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngckeyenum.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Passport Key Enumeration ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationngckeyenum.dllMD5=ACF9A79DE065065D9B9F3C060D8FD883,SHA256=72A663ED47F6354E1EF19D6E5D4BC1118B8BF699B9E112E89BBE8DC8B9D83187,IMPHASH=7408E186279579FBFF9DD5099C815B63trueMicrosoft WindowsValid 10341000x8000000000000000150683441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\BioCredProv.dll10.0.14393.4169 (rs1_release.210107-1130)WinBio Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationBioCredProv.dllMD5=73F8BD8ED7C88C247AE1F8931FE84024,SHA256=50102694895A05D4554A54C775A033664DF7B9E51347F918E2A2FEF2F2B747C0,IMPHASH=01D3BF39F15617F2002037CAEC4CA502trueMicrosoft WindowsValid 734700x8000000000000000150683436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.4169 (rs1_release.210107-1130)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=330E02FA330C93B93B477AA2F88C8A3A,SHA256=958A6977B820D04D94C8FD85C23CC62D77F0498BB59A648744E8F43704FD7F26,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 734700x8000000000000000150683435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x8000000000000000150683434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x8000000000000000150683433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngccredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Passport Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationngccredprov.dllMD5=5125FB8AD27095A89651EFE26DF82B8F,SHA256=B49A3E4B223B5737ABB834DA077E2F525B8D5A4E7A226134AD23B19BD20DA5B5,IMPHASH=BD5237271CB2F0AA3004D8AC0791F836trueMicrosoft WindowsValid 734700x8000000000000000150683432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1F,IMPHASH=518BBC26E9BA87459E80712401FEE077trueMicrosoft WindowsValid 734700x8000000000000000150683431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\deviceassociation.dll10.0.14393.0 (rs1_release.160715-1616)Device Association Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdeviceassociation.dllMD5=68139108F7E1D4327BE76289E14C2159,SHA256=05436A7EE5EE877F3EA6B12604D41EFCE288F093AAEE03A906FB7C9A4A76DFDA,IMPHASH=CA757A840D91610BF593E8A2814EB9B3trueMicrosoft WindowsValid 734700x8000000000000000150683430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Devices.Enumeration.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Devices.EnumerationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Devices.Enumeration.dllMD5=4C62915A0F4A5D426D857C5DEC342AE9,SHA256=371A5B33833D0433F525EF0A0E61B7EFE5F91142F814241AB291C178B055BCB3,IMPHASH=19CB1EC42DBF9C106DE4DE251E31017EtrueMicrosoft WindowsValid 734700x8000000000000000150683429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\facecredentialprovider.dll10.0.14393.4169 (rs1_release.210107-1130)Face Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationFaceCredentialProvider.dllMD5=75568151502F3012E5A0B28D53517B21,SHA256=6CD897692F27AF5291034213CFA48CF0A0517C33A5A23ED270F12DDE98FB32D9,IMPHASH=A57735F3674892C8A813AC842EA6CFAFtrueMicrosoft WindowsValid 734700x8000000000000000150683428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\cngcredui.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft CNG CredUI ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcngcredui.dllMD5=FE84C1709B761FFCFA7F4340FA451A65,SHA256=329D2D141C9C0ECC68C12E8B68D0413C396F47C83C85621A410773D8BB1A494C,IMPHASH=9AEED300060E76958D7D2ED9F8BF8EDFtrueMicrosoft WindowsValid 734700x8000000000000000150683427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150683426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovs.dll10.0.14393.4169 (rs1_release.210107-1130)Credential ProvidersMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovs.dllMD5=913EF3B2F5DF7C749774F6FF3B054C11,SHA256=4E3F665593865080E37EA4F3108102FD222C2DECE3841F178EAF29A9CCB59C2C,IMPHASH=4D8C135A6C32D5E52CB9D0ED6F5E66D4trueMicrosoft WindowsValid 734700x8000000000000000150683425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovslegacy.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Providers LegacyMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovslegacy.dllMD5=C54FE5EE50B5B797FFCFCC1B00A0076C,SHA256=2676BC00EB97E8BC4F3052EF09106DA33FA33CECC66D179164B3B2FE9DEFD9F6,IMPHASH=350AE9643284403B93B04574B73914E7trueMicrosoft WindowsValid 734700x8000000000000000150683424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x8000000000000000150683423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\SmartcardCredentialProvider.dll10.0.14393.2248 (rs1_release.180427-1804)Windows Smartcard Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationSmartcardCredentialProvider.dllMD5=89F3FE0276D7A31BA02AC3366F964FEE,SHA256=EE1AC8484F240304375600A1B95B64670D660EEC8E3D9F49D7782505D38E28B2,IMPHASH=634A0E8BBEC2A27265F521A876EDBBDAtrueMicrosoft WindowsValid 734700x8000000000000000150683422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159A,IMPHASH=D9F27AFFC8B05CE56A2B9B9CD5B4C9B5trueMicrosoft WindowsValid 734700x8000000000000000150683421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000150683420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150683419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150683418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x8000000000000000150683417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovhost.dll10.0.14393.4402 (rs1_release.210426-1725)Credential Provider Framework HostMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovhost.dllMD5=D64A4C4E4CDB8DD6128D4EFAC4118353,SHA256=A503771EBD077D5C5C2EFF2499E074A8B05099A59D68E7668F403EB6DC4A902A,IMPHASH=2B8D4C5C44B72C4C63973FFAB9046281trueMicrosoft WindowsValid 734700x8000000000000000150683416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\CredProvDataModel.dll10.0.14393.4169 (rs1_release.210107-1130)Cred Prov Data ModelMicrosoft® Windows® Operating SystemMicrosoft CorporationCredProvDataModel.dllMD5=6B8B71ABE125771FEE8A44D0F941CEF3,SHA256=1C7C0865C8BD4CD12867432AC71144923344F596EFA2D7C42DD9EF37F508F519,IMPHASH=E95B43892FF230687F925F53516FD6F3trueMicrosoft WindowsValid 734700x8000000000000000150683415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150683414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\InputSwitch.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Input SwitcherMicrosoft® Windows® Operating SystemMicrosoft CorporationInputSwitch.dllMD5=2B36BB851BC67134276AF104374E1AE7,SHA256=5BBE3DAB8CC51D7979C85F6794AC87EC01033B10381C9975BB82EFDD130C71F8,IMPHASH=9FA3243ACAFF711089EA1F97D1240A36trueMicrosoft WindowsValid 10341000x8000000000000000150683413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-4B39-61E8-0F00-00000000CF01}100908C:\Windows\System32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5ACE3BC42233A8D71630252C8C2B4,SHA256=41593984D5A671359A5F4F9E6ABB1ECF99A94B952575CFA8C06DC2597540F4DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x8000000000000000150683411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 17141700x8000000000000000150683407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 734700x8000000000000000150683383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000150683382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x8000000000000000150683381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000150683380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150683379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150683378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x8000000000000000150683377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x8000000000000000150683376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x8000000000000000150683375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000150683374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\rdsdwmdr.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Remote Desktop Services Desktop Composition ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationrdsdwmdr.dllMD5=8AB1C043AEA9B8E3E69F66FA2D6D0902,SHA256=6405F183B338D172526735F3C68A22E6D927EF62EF2B8D184E8702525B08C529,IMPHASH=C6DD7624FA229BF9070263DE7139C105trueMicrosoft WindowsValid 734700x8000000000000000150683373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 10341000x8000000000000000150683372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x8000000000000000150683369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000150683366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\Windows.Gaming.Input.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Gaming Input APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Gaming.Input.dllMD5=6947CE1BEE28DA84EF0F9A9CCAC220D9,SHA256=5350654F9C04864F2A364C368348C1799DB7A949286AD946726D0A3583942386,IMPHASH=AA9A60973CD4BBAFA67132CB2D843B41trueMicrosoft WindowsValid 734700x8000000000000000150683364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150683363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150683362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x8000000000000000150683361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\UIAnimation.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Animation ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAnimation.DLLMD5=7F8B0CD5AB8C3E677B98400A2E7C3A75,SHA256=D49C09FBF9BD077A81CB9DA8DE09D2EB1835BCF5F0153373DCE6B484A0F64227,IMPHASH=BC9606EA9B100715129576DB5908D6A8trueMicrosoft WindowsValid 734700x8000000000000000150683360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x8000000000000000150683359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000150683358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150683357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8,IMPHASH=F266C00A61E480BB0A81B1A89DB30014trueMicrosoft WindowsValid 734700x8000000000000000150683356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x8000000000000000150683355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000150683354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x8000000000000000150683353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150683352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150683351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150683350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 23542300x8000000000000000150683349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CF9B133471FF88A72C8148F97F97D92C,SHA256=62E72B2C73643D21E1DFFBF83EEEC36F328AE79184FEABDBD7EC47C40EFAF81F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E34BB13381DA640BB0CF88BF492FDA9,SHA256=7591155344CE23BB917282F6533420BB845FDA346C69FF3BAB764EB52F449C3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1815FBEEA7C49E1C5B4E1C5673AE2CFC,SHA256=A9A9018768FF87617F0BDFBA06DB44AC76A842F6E460A42F520B9A8731E69513,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000150683344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000150683342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 734700x8000000000000000150683341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ism32k.dll-----MD5=2D64FFE4D9D69749DAE22929EAF7C0E3,SHA256=DE4B60F73BE4265C83E68C80B984F5B06B69DB281E4F1365DBBAFB9D9366D9B1,IMPHASH=5EAAB1EA34F06850795E43CC80F7A946trueMicrosoft WindowsValid 734700x8000000000000000150683339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000150683338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 734700x8000000000000000150683337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 10341000x8000000000000000150683336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150683333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmghost.dll10.0.14393.0 (rs1_release.160715-1616)DWMGhostMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMGhost.DLLMD5=E90480135CCF153367927193360E1704,SHA256=1E38DCCFBB4E3F7A97ACF9B8F35A27EDA314779E17951B62915BFEF2C4FE1905,IMPHASH=E6DA3EBF6A2D12D95C9048E332A1FCA4trueMicrosoft WindowsValid 10341000x8000000000000000150683332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000150683324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x8000000000000000150683323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 10341000x8000000000000000150683322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Xaml.dll10.0.14393.4402 (rs1_release.210426-1725)Windows.UI.Xaml dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Xaml.dllMD5=D3AABF7BF9CFBD51194C622C0A6A7D78,SHA256=86F89179208C22EE22AD51820FCE323D0F1EF160F7ABB6EE8AB6F858AB4CDDD9,IMPHASH=B872FEAB4926DE1D74C3DF5AC4E62C2CtrueMicrosoft WindowsValid 734700x8000000000000000150683320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836E,IMPHASH=BD8E5A2DF0B988B5F76A40E2D1BEBF97trueMicrosoft WindowsValid 734700x8000000000000000150683319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDC,IMPHASH=AB0E9B104017117F7BE18F3C6AAC279AtrueMicrosoft WindowsValid 734700x8000000000000000150683318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x8000000000000000150683317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Winlangdb.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Bcp47 Language DatabaseMicrosoft® Windows® Operating SystemMicrosoft CorporationWinlangdb.dllMD5=50E4D5039A8CDC4A6B540FCA4584CDBD,SHA256=AEF4A7FDBF3D97CAA5750A3779246AF5E562176179153B356689A0E3FC5BB444,IMPHASH=E258085E2BBA36D50AAE0D0E18AC11EAtrueMicrosoft WindowsValid 734700x8000000000000000150683316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x8000000000000000150683312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x8000000000000000150683309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000150683308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 10341000x8000000000000000150683306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmcore.dll10.0.14393.3297 (rs1_release_1.191001-1045)Microsoft DWM Core LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationdwmcoreMD5=03C407A9E53E7F5B008408EE7DD98C49,SHA256=128569219AE53C10BBF6630E2CEF5CAEE94EEE53D149EAB67B8FE527C77C73F5,IMPHASH=3574E7EBEB7B8AD883019C49AAEB6220trueMicrosoft WindowsValid 734700x8000000000000000150683303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150683301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmredir.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Desktop Window Manager Redirection ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmredir.dllMD5=05B2A35A72410F77A402FA5B76CF2086,SHA256=13F6D45C49526D75A2E781E59E0C73DF7774579BEF684782B5A283926F8D390E,IMPHASH=EB1A8B672979894B61A21251DA6441A6trueMicrosoft WindowsValid 734700x8000000000000000150683298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\uDWM.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationudwm.dllMD5=92156F4F346EEF68A638B377310E5A44,SHA256=1ACA1754494BC261C5AE9891F3CDFE9A9060D1F882858B9087E6365C9572D360,IMPHASH=4454B28575E3D261B0B850E37D02A98DtrueMicrosoft WindowsValid 734700x8000000000000000150683297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.XamlHost.dll10.0.14393.4169 (rs1_release.210107-1130)XAML HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.XamlHost.dllMD5=3EF300C64E57C482FEC2A62454CC45BC,SHA256=CED0EEE32D019EAF1BE70190B87FA9858054DEE20DE77EF0BDC67C2B8B0DD669,IMPHASH=76C7A23349305BC2F339502E1330DC92trueMicrosoft WindowsValid 734700x8000000000000000150683296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000150683295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x8000000000000000150683292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x8000000000000000150683288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000150683286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exeMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542trueMicrosoft WindowsValid 734700x8000000000000000150683282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150683281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000150683280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000150683279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000150683276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x8000000000000000150683274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630,IMPHASH=7118E177B350BBAD51DE9533CF52B852trueMicrosoft WindowsValid 10341000x8000000000000000150683272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Logon.dll10.0.14393.4402 (rs1_release.210426-1725)Logon User ExperienceMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Logon.dllMD5=30C95AED65FA45F9EFF52E3C530C63D6,SHA256=9E8EE30967269AC252D9DA33E45DFCE540676F5A6E730B88FE843E48EBE49457,IMPHASH=54FBE131063E4D40AC82419379C61133trueMicrosoft WindowsValid 10341000x8000000000000000150683268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-810D-02000000CF01}25243744C:\Windows\system32\csrss.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-820D-02000000CF01}9124188C:\Windows\system32\winlogon.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.021{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-4{3BF36828-BB2C-61F9-2E3E-501300000000}0x13503e2e4SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exewinlogon.exe 734700x8000000000000000150683263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x8000000000000000150683262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}21405896C:\Windows\system32\LogonUI.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210,IMPHASH=BC4A2B9355432144727A5322381AB386trueMicrosoft WindowsValid 734700x8000000000000000150683257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000150683256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000150683255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885,IMPHASH=70AAA0F56F084D1AE09EB5CD51B268ECtrueMicrosoft WindowsValid 734700x8000000000000000150683254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000150683253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000150683248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonController.dll10.0.14393.4169 (rs1_release.210107-1130)Logon UX ControllerMicrosoft® Windows® Operating SystemMicrosoft CorporationLogonController.dllMD5=EEFFA85317E0C7483D747B7C0F20ED38,SHA256=6DC57621059816648A4D438874A29C3F697A86EFC8B04E2945F2C74733DB28A5,IMPHASH=B3F665DED064F7C7E844A2E67FA0267DtrueMicrosoft WindowsValid 734700x8000000000000000150683244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000150683243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.747{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6,IMPHASH=82DF5355ECE040AB2EB1CF3A3223A564trueMicrosoft WindowsValid 13241300x8000000000000000150683978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1122SetValue2022-02-01 22:58:54.731{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{1F9C7E02-00BB-493E-BA1E-1DCA09472A6F}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x8000000000000000150683977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1122SetValue2022-02-01 22:58:54.731{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeHKCR\CLSID\{1F9C7E02-00BB-493E-BA1E-1DCA09472A6F}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 23542300x8000000000000000150683976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BEA7084C4957941FB080DA80A11267,SHA256=5D4B0A25E161A7F5F35C8807F928B8FBF513452DD408933139450861553C5D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:54.079{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1753EB1158E4F13FEBE8DEC7D0EC727,SHA256=FC5A55BDB05411FE29D836D822BD632CFACCC61C546A2F3F2DA0DA3384E76555,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.403{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.403{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.403{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150683972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:36.585{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59766-false10.0.1.12-8089- 10341000x8000000000000000150683971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.310{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D29BFF61C20B7DAEE1B98D2E5CECBF,SHA256=0360FFDA5733DC509DECBDC7FC50C58F22484C5042848AAFD3C97F0ED0582F66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000150683968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000150683967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 734700x8000000000000000150683966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000150683965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150683963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\TaskSchdPS.dll10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Interfaces ProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationTaskSchdPS.dllMD5=2C64E139BAC3F2852567622F77B02C50,SHA256=EA9ED3B6173722EA707EDCFD7276E036E56F957B85822B727986BCD6F7FACD5C,IMPHASH=83D2415AAD098FF1BBFF89F44AF25EC5trueMicrosoft WindowsValid 734700x8000000000000000150683961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150683953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150683948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150683946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000150683936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E5DED05427368A48371FE3F7821A71,SHA256=17819FAD6A7E9FDDAB24EE701686F0999219D4D6D196BF632AB742DDD35B2FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\TaskSchdPS.dll10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Interfaces ProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationTaskSchdPS.dllMD5=2C64E139BAC3F2852567622F77B02C50,SHA256=EA9ED3B6173722EA707EDCFD7276E036E56F957B85822B727986BCD6F7FACD5C,IMPHASH=83D2415AAD098FF1BBFF89F44AF25EC5trueMicrosoft WindowsValid 734700x8000000000000000150683932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150683924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150683923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 18141800x8000000000000000150683916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000150683911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\taskhostw.exe10.0.14393.3297 (rs1_release_1.191001-1045)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exeMD5=B5D41CD8E27C26DA82B11B277D233B04,SHA256=1876990EEBC99F0B0F66BEC435FE2810E450532E23E22427DA31A09802394461,IMPHASH=1CCD2E7A159E4500473733FB9D75028BtrueMicrosoft WindowsValid 10341000x8000000000000000150683902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32FE2A8F2D80ADE657568293622E58F,SHA256=00EF17E126C3412DEDBBFD2EADC5F3F94FEEE8B4E3524B4818F12CC19F3FAE38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.185{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.185{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.185{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 10341000x8000000000000000150683892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-ADC3-61F9-EF0B-02000000CF01}864C:\Tools\x64\mimikatz.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D7CB-00000000CF01}4688C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D6CB-00000000CF01}3860C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-614E-00000000CF01}5988C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4BC4-61E8-8400-00000000CF01}4780C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B5D-61E8-7600-00000000CF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-4200-00000000CF01}3736C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3E00-00000000CF01}3632C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3D00-00000000CF01}3608C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3600-00000000CF01}3444C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4A-61E8-3200-00000000CF01}1116C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3100-00000000CF01}2444C:\Windows\system32\inetsrv\inetinfo.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3000-00000000CF01}2408C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2F00-00000000CF01}2052C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2C00-00000000CF01}3020C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2900-00000000CF01}2980C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2600-00000000CF01}2832C:\Windows\system32\ocspsvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2400-00000000CF01}2816C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2300-00000000CF01}2808C:\Windows\system32\certsrv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B43-61E8-2000-00000000CF01}2568C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1D00-00000000CF01}2104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1300-00000000CF01}352C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1200-00000000CF01}412C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1000-00000000CF01}356C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0E00-00000000CF01}996C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-ADC3-61F9-EF0B-02000000CF01}864C:\Tools\x64\mimikatz.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D7CB-00000000CF01}4688C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D6CB-00000000CF01}3860C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-614E-00000000CF01}5988C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4BC4-61E8-8400-00000000CF01}4780C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B5D-61E8-7600-00000000CF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-4200-00000000CF01}3736C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3E00-00000000CF01}3632C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3D00-00000000CF01}3608C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3600-00000000CF01}3444C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4A-61E8-3200-00000000CF01}1116C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3100-00000000CF01}2444C:\Windows\system32\inetsrv\inetinfo.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3000-00000000CF01}2408C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2F00-00000000CF01}2052C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2C00-00000000CF01}3020C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2900-00000000CF01}2980C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2600-00000000CF01}2832C:\Windows\system32\ocspsvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2400-00000000CF01}2816C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2300-00000000CF01}2808C:\Windows\system32\certsrv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B43-61E8-2000-00000000CF01}2568C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1D00-00000000CF01}2104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1300-00000000CF01}352C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1200-00000000CF01}412C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1000-00000000CF01}356C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0E00-00000000CF01}996C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B3A-61E8-1600-00000000CF01}13002728C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3A1DD2E89E4B8DF1D70593A9900A8D,SHA256=186A82731811E2B14088AE909E629741F3A3816F4DC6360293D68D9A97F0E3B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.106{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=29909D3B662A429603C439A25717C213,SHA256=1C83A5D03C17235C3249936859F101C2934B0A7D569553A0D97C97A332ABE1AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x8000000000000000150683770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.106{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 18141800x8000000000000000150683768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.075{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.075{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.075{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150683754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6trueMicrosoft WindowsValid 10341000x8000000000000000150683740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-DC57-61EA-584E-00000000CF01}10404376C:\Windows\system32\csrss.exe{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-DC57-61EA-594E-00000000CF01}3041468C:\Windows\system32\winlogon.exe{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.054{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\System32\winlogon.exewinlogon.exe 734700x8000000000000000150683733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FF,IMPHASH=6691D3D33C2662107A11540A5A994674trueMicrosoft WindowsValid 10341000x8000000000000000150683732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150683723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000150683722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150683720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150683719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000150683718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x8000000000000000150683717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150683716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150683715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000150683714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 10341000x8000000000000000150683708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 18141800x8000000000000000150683705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 18141800x8000000000000000150683700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x8000000000000000150683697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000150683694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 10341000x8000000000000000150683687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150683684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150683679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150683673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-DC57-61EA-584E-00000000CF01}10405080C:\Windows\system32\csrss.exe{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150683659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150683652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exeMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26trueMicrosoft WindowsValid 10341000x8000000000000000150683650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0F00-00000000CF01}1005664C:\Windows\System32\svchost.exe{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x8000000000000000150683646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.990{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 23542300x8000000000000000150683645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7500B3F7D06B1F01E15252FE7F904142,SHA256=2D17770BF787DA5917DC4CEA626A898E72D75A672F9691E25A33E042E480AA92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:55.626{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B28400F42116E2CC2EFB3A5AE24236E,SHA256=309E1CCFC6CE0F0E2C1648CD7DF5DB00D18835A62C678582B8635587BC87A1EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:55.189{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F207E1E9FA2CEB62EFAE06167CCBA334,SHA256=DACDA9D00AF9DF63261320ED9890A951FEF2ABCD2E1B301ACC73E184B5D34E47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:55.450{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD70B0AAA2F95B1A1AE190C69C0FBE7,SHA256=B90C6D149E900782D804F54EEF40C7CF1E11EA0A2C962C33667CE58D1E5281DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:55.028{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F8AD4D6631A564611ABAFC51BF1700,SHA256=ED83D1B468A191CEAB9FB9F4EF13A8E972F842EDDED5D905D7CEB87F03EB2CC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:56.450{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AD70EB3EC5FE37211B7CD83E4AAEB9,SHA256=293F7B62DB33385DBE31ABD1282E0BAFBB2658541ACDDB4ECABE7FDC6CFAD5F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:56.392{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE39A2DBF34D547B8B5DA4B1B5A1194,SHA256=64496E3ED2D7AF80E03C6B10C3AA8D5B872D368A2FD7CF0C462484EDA7E437BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150683989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.710{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59767-false10.0.1.12-8000- 354300x8000000000000000150683988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.331{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:a4c4:39b:ffff-57090-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000150683987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.331{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local57090-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000150683986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.330{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-128.attackrange.local137netbios-ns 354300x8000000000000000150683985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.330{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000150683984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.321{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local55628-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x8000000000000000150683983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.321{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58202- 23542300x8000000000000000150683982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:56.138{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=704E344A4384F6D4A5313A6C8DE1AE45,SHA256=177BA9ECE9C05E9AE6DA6F0DD0C958018BFDBE6ADA7D7A38D583509D61104D04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.466{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C14BABBCFC9A616CCB5CEBE8DBF02B,SHA256=14007CB8290404CB9E3B9E45506A1CF7868D37CBE8B2A805A482F7AAD58C103B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:50.889{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54098-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:57.407{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E699E2FEAE09CA46D1FCF0364AE49F3,SHA256=ACE057A06095DB86B80BC3B84D4CF2A6DA3776F785532824E68394D5ECFA82DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.372{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C00E624B94FD6674ED71F3D113DC7924,SHA256=E97B1A19D25526BF2882964981CFF3FEE0BAD3CA6AEE100D0552AACB8CEAFA7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:58.408{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AD4C3765BB5D325C09741462449789,SHA256=4FD9CAFFFA5EA7339753C7D1B9BED7AB2765D086386F38626A059C54AD1C261A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:58.481{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26984FC7C7127AC23E3478C8423DB2AC,SHA256=BC1515E9569D0C9272A08F221AC2D59A61B7C509E305DA1F64CB5EED53F5AEE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:59.564{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AEB565C1FF3931437E554C7B022AC2,SHA256=B1D7B5C61DA2792F3EA1C249E2D3AB89EE3D3AA2A6DD99B9EAF9A65FEC9B8496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:59.481{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398479408533E1978059D23610EB8807,SHA256=3AEF65465A0A3A13404C32D24021A18079792DF95BA2128B8424337571000212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:59.075{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03D3C8E296F9C16576ACBD8533BA9876,SHA256=783758017B4881E52890B1B62762FBDCE045220DE0F973D4CCBFEB77CABF1CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:00.810{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56DC0D45E760F49D318312269DCD3826,SHA256=C80DBD0211AD17735FFFFD94CCCDDEF239681DF3DCEE6549FCC994D22369E277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:00.513{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2FAC624DAD110D4A05650C2A2E62A6,SHA256=167AB666DB9DD3E7310251742093CBC55DF06FD3B1780D20D5CBFB26D217F838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:00.581{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878B835C3376F0475975CBDAAE47DBD1,SHA256=F168F2463581AAA8395207D9F31EB64750C7CB3FCF016149CB4C98EA96217BA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:01.595{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F33CEB05B01EDB60C8AF6DBF9B1538,SHA256=7DA9D8E5870F6E13554CA14129AD37E3313C0A37D25A3890AC6E33571BD2E9C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:01.528{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C8B0401E5E47A474CAB23395C8844E,SHA256=840DD371176FAE2E57B1E1A237D553ED840347E5F863F10A5691C3F50EC181BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000150684016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150684011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.888{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150684004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:43.834{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59768-false10.0.1.12-8000- 23542300x8000000000000000150684003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.560{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27BAD210C76450C433CD60556C70689,SHA256=D759EE4CAEBF2589954DD5C852FAF9E3F6B69927E3303F3E4F48B24F42E83844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:02.626{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C9D0B0855E4040384A273D3302F571,SHA256=40D661AFAAB44B62A69216D0A4E20CBBE392F6A66217D1462541DE9FE9C09F33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.919{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F31AA3823F63CAB4ABAD7EAB06906390,SHA256=460A6D56204D1D1424D2ADB6448E6B7F9FA97A5476282EB702AF2BBB24121519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.794{3BF36828-BB37-61F9-8A0D-02000000CF01}1864956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.794{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.794{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 23542300x8000000000000000150684108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.778{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4540ADDD76106B077223CC56105197FB,SHA256=F0203125C8EFB615C7431C07DFF085DB21C4C903067FD714ADC49D119DC0B81D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.763{3BF36828-4B39-61E8-1400-00000000CF01}10721612C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=8BFD253467CDB3F41ED2A23FE08B361D,SHA256=5A938F1A6D0FF39BE7B5BD88F46988F4CDAA78134E9E22AC02C46EC688819D17,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 734700x8000000000000000150684105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150684104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.638{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.638{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.638{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150684062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.592{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071087208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:56.717{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54099-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:03.704{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49DCE65168905DFCE0B5554D368388F,SHA256=B0D8D9C7B122FD2C2A1FAE7217ED4DBA46BCC85310BBED276639A01954EE0768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.153{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.153{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.153{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071087209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:04.720{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFC684F12242D0955C26DF322288827,SHA256=E82D289D9D1CCED0E0C264CB64FDE825666BCA7D659203135478F771928550CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:05.721{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8F5E293B46B61C2936DAFEA09A7F4F,SHA256=06A3C817D965614077460D4BF1D8A382C310629D33EE719C54CD5F0ACAC32EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:05.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B37BBEC8B60EFB3D0730FE37F3E1A7,SHA256=73EC016D4904F374AA66562BE18AF2251AF113CBD8FBDDF69C97325A147FB536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.765{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DB2E9A92E87C3950AB711895C9B17E,SHA256=0731E14F7D3DDFC6D73357402CCD2C422A841CD9DBD0F3796CB33DE22DB3C05D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1468E0D0B775DC913F2DAD8F16B579E4,SHA256=9F8149E07EB6CF6CC7868BB010BEE8793A4054861FFBC65D3C5E03D61A5C3D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-0-1-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=A1529E6A6D982AA4CDC1A176390F9CA6,SHA256=AE20D9AD5997A7CFAA60ECF0199CEE5E0526A55CC2D6EDF98ED8DDE6010FBB1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.981{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-0-0-40a50000-WIN-DC-128$@DNS-win-dc-128.attackrange.local.kirbiMD5=77B4020E6AF3AF3B71FEA613A09B664C,SHA256=83E03F93EBA7C5A710866708E1853DC9557974A567CFD20550C6516DC1317547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.481{3BF36828-DC58-61EA-634E-00000000CF01}45404808C:\Windows\system32\taskhostw.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150684115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1A6E4409C8F176B65D468C0E0E8B60,SHA256=DFDBDBB58D982A38B854BD3FFCEE6BBCA23A03D90E4F40195EED3CE746852E0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:07.784{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7D4D1342235B8AACF36E26C583B10D,SHA256=2944C468E2D2679B54FAD9BC29946B04F4D9A4C9DBA581CD857CDF4BB4A8CA4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.822{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59769-false10.0.1.12-8000- 734700x8000000000000000150684146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.544{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8,IMPHASH=33685761AD2886071A8D7CFB81130BEAtrueMicrosoft WindowsValid 734700x8000000000000000150684145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.544{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 734700x8000000000000000150684144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.528{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.4169 (rs1_release.210107-1130)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=0B283806F6BEEE6509E9F8C3FCA10286,SHA256=4DC982EC3F8B81CF8BF0F56ED5CEF628C28A1620CC12B94CAFADCD7CE684B6E2,IMPHASH=C336F93278ACA9710F465E21059D5842trueMicrosoft WindowsValid 23542300x8000000000000000150684143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.295{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0161167BB2FBCB90ADC83A0A199E7FA,SHA256=08F6A9A8E4A892364D335FFE3C8CAF76210BF18C7295A9E004E0E8609E9AE958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.263{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BBA35C2F3C86F685ED644BCCACDD043,SHA256=7C6D46BE06104103F19BA5C1E9613ED7A15205FB8FB51FD3C17D1B80574F48C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;e0b70]-1-0-40a50000-WIN-DC-128$@GC-win-dc-128.attackrange.local.kirbiMD5=7429EBD35D0249245D37B64DF573597B,SHA256=4E53DE40D5E14C2D3BD2C9B4F0D3968DF6C912E4A5D703E77C5D4377609AFA7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;c1bd460]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1538404CFA40760EAECDCB99AFB07329,SHA256=BD877C7EEF1A80B0922D952523A41759C2101819642A7B4499FA02F4DDB2A013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;133115ef]-2-0-40e10000-Administrator@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1DEC3E68A35AEC92CB0E0564338555E4,SHA256=E287DA3CC5DE7FEC09BFCDF2B5E1A26BB0B65524A7DC28905CDA6D42B779E4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;466d5]-1-0-40a50000-WIN-DC-128$@LDAP-win-dc-128.attackrange.local.kirbiMD5=D64C7836B5F5B3B33388358E996D3A96,SHA256=AB2AE8799D8533EBF02D72A867F436C85DF432B0C51F107C4F3E793F4F1430AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;99d2b]-1-0-40a50000-WIN-DC-128$@LDAP-win-dc-128.attackrange.local.kirbiMD5=D64C7836B5F5B3B33388358E996D3A96,SHA256=AB2AE8799D8533EBF02D72A867F436C85DF432B0C51F107C4F3E793F4F1430AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;99cdd]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=6934B55A732BF7D2197644DDE0A92562,SHA256=1144721707BD0EC322C8DA0D2B11593DEF8E2A37E963F5A30274A45C4C7A16B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e99e16]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=BAD2243E3C3198A1033B63D7ABC2CF01,SHA256=A37EBBD70CFC62172A86EC3A3843989EA2F8130F5FB2906CF846A8E72FDAFEC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e99bb6]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=BAD2243E3C3198A1033B63D7ABC2CF01,SHA256=A37EBBD70CFC62172A86EC3A3843989EA2F8130F5FB2906CF846A8E72FDAFEC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e98da3]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=F4446B920A289C7D7A047BF2859420B8,SHA256=FC3294BF50C178A454C808B0A19A8D6DFF55B98B6B8EC4012E8C9739ADB3B078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e9cb8b]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=BAD2243E3C3198A1033B63D7ABC2CF01,SHA256=A37EBBD70CFC62172A86EC3A3843989EA2F8130F5FB2906CF846A8E72FDAFEC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-2-1-40e10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=02D99E958F324DDAFB2F11060EC2EDC3,SHA256=0DDAA33D05075CF6BC2B88B78DEC1641940D0745BB7DDC3EC21364ED0399A919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=F4446B920A289C7D7A047BF2859420B8,SHA256=FC3294BF50C178A454C808B0A19A8D6DFF55B98B6B8EC4012E8C9739ADB3B078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-8-40a50000-WIN-DC-128$@GC-win-dc-128.attackrange.local.kirbiMD5=9C651DD3A547FAD0457EE2EEA7DF624C,SHA256=8D706E623F04EDE7D4BDF9EFC0B3F3D7C4F70DA0FD8C6D55498FC8562FD1AD5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-7-40a50000-WIN-DC-128$@HTTP-win-dc-128.attackrange.local.kirbiMD5=45C78B1E4923AAE8DA82E9AA063E0DCB,SHA256=172777FAE1C72CB002E4E538ECC15B35F0759C8B2A7E16792EDD58B7D97BAE88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-6-40a50000-WIN-DC-128$@cifs-win-dc-128.attackrange.local.kirbiMD5=92F494DE80771F472ADB197406E36BFF,SHA256=F1C067AF263E6EE289092482952F76C8BAFE91A49EDFEB0B53438D251AA90ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-5-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=37C2C327F7DEE413893A863D6EE2C897,SHA256=350FBDD759E8CCB5B2B2635781A25ED21EEC851DC992E17BC00330C3C6DB5FC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-4-40a50000.kirbiMD5=A850B0C1F4568EBE9F62F12263490346,SHA256=5FB8EC54F96857208E770F54A778FB69E36CACB8BD411C65EC1296D0A25795EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-3-40a50000-WIN-DC-128$@cifs-win-dc-128.attackrange.local.kirbiMD5=E7BB60CDDF40A4013F55E00C7123678F,SHA256=3088B862CE90F943E70CC6ED70859451E9AF92F53800D56870623514C0DDF819,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-2-40a50000-WIN-DC-128$@LDAP-WIN-DC-128.kirbiMD5=BC4CF1CD4D3403BEA6FA690DC53B08D8,SHA256=56FA34F1DFB9B985A9EA6B0263D7488E29CB9ABE0397F5C8C5A348ED30F9D856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-1-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=1EDA95E938CA1AA89EC59AB6A4521ED5,SHA256=69D843BCFE339BED1ED0F7A2BEEC8C076C3A7EAFE4547177F9796B42B88A9811,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-0-40a50000-WIN-DC-128$@cifs-WIN-DC-128.kirbiMD5=2DCC30DED8FCD0B9C576D6AD67D3DDEA,SHA256=C8B4BF3285461F5633BA0347113E7B2128438745B60040BA77415047326A0087,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-2-1-40e10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1139BBABFF5017D749EE1A4C01A3D257,SHA256=E669F8AFDBBED8887503CFC8F2ADD4928DB3DB6E5FEE3C152EBAADEEE2E02A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:08.846{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E442B61477500A8C3DD89B92F5AA41F,SHA256=1E28AFA0B6EF560FE624F1304DB2EBB0D17FB18007428AB74664670F72E13EE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8768FD4AAF50D153B190625C0749D5AB,SHA256=6654E1C0A2DFE8DB44D4DD4FFA745A5309C29532846E168522A6D226BF050E7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.700{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 354300x800000000000000071087227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:01.812{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54100-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000150684208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.700{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.700{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150684197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150684179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150684175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150684172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150684166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150684161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.513{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000150684154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60682608C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60682608C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150684148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F394204630A5A89F040401F0CB7F19,SHA256=F1F583B7EA075731F95AEFC803B6A046D3A10789DADC339510F69FFC15FDF49B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.894{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.877{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1936589DE9F5A8562B1168F55B383EE,SHA256=4F13D84B115AE46E0ED540C5192D653154010D799EDF9566BB5D4C486D8588E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150684270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.904{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.560{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93C8DD3C46BDAFCB46E8B63398F906B8,SHA256=B7B645C4034603D34EB14FA3ABFD7D03CA148F0F73443554F3A65C11B0122B1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}21245460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150684258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.356{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55656D80F856C83A0E31569B76EA98A,SHA256=5882DC383F6BF242EF9575F0759B3C7CA170DEC1946F7DD1077E99A7038AE431,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.424{B81B27B7-BB3D-61F9-510D-02000000CE01}36564540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.237{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.206{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150684257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.217{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.919{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C290334FE1C863E2AE06D18AD4384EC6,SHA256=50594F9610A2A3300D38AC3E3F7CB6143BD871E9D51F4E2F71079E89B9C88D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}18005308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150684363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A919746C2474F387BE4DBB16F64985B4,SHA256=DF073DBE52520C4419F6D548BFC0DF50A45A8393DD9889A1B10D1AC9C90107ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.592{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8757B06533FDA5438F3B6178CAE8F326,SHA256=1FF9E6DADED1B5740044F7DFB38431C63DE4B1A7376152163A200A32BBD4BA9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.410{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07EE0EB7ECC91F2AAB0B8D68BA739ABA,SHA256=6EE0CE00796140121006BF76441137A2720C2E5E2FA88407AE075ABCF1E35391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87EEAAE83A14349C1206594E8460EC16,SHA256=7C5C0CEA962D5991DDA9C7824B7CD91515C949C4AA5D5F22A08BB1AA1F12565D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}25564868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071087259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:11.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E623F977D7B2836726E0B5BAE14F1C2,SHA256=1B0D0215DD76A200DEDDFDAEA3489C2625ED54FCC34C3D9E01AF44A7243D6218,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:11.424{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07EE0EB7ECC91F2AAB0B8D68BA739ABA,SHA256=6EE0CE00796140121006BF76441137A2720C2E5E2FA88407AE075ABCF1E35391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:12.091{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D170E6AE4412C39C782BE1D8D764C183,SHA256=7DF4F18CD1CB5FA0E81BD31D6987622265A6B2A6D78D41C38C0DB1D5EBEE8DDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:55.662{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59770-false10.0.1.12-8000- 23542300x8000000000000000150684371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:13.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2563969C4588C8D29C5560D5D84CFBA3,SHA256=DA87E4D7F0EB9CB8DB425D3CBD2CE79635DEEC81AF95FEFEAA5AADCA911A6568,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:13.106{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4C885E0863676D372607B6077CC480,SHA256=E37ACD819D61840246F503F5904106BFB19484ADEEE51F9B1EF99F8B7EE7CAD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.875{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54101-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:13.002{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A592C6B00AAAF3E4C06BF273A17EA25,SHA256=04CF837424D861ECEF3CAF3B4FCF94E664E38A5DC939C0EB989C4139BEC5551B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:14.138{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E757928C9C20090C316076CE4A04499,SHA256=D47BDC08A03CA723AD0584E70A441C4D0E9DDE2432FD4A029916081ECBCA464A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:14.237{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE3A0982145C71D43B4A9D3A15EE4BC,SHA256=E3167519F6C63E73C89890D4287DC5F0295DB46FD1EE0DBC90E75CB3DCE39039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:15.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748C1FFC405E78D454CB6603BA2D19E5,SHA256=42436D6065E2F2AB73A25BBB10682B60D16C32D875F4FE12699A09CF937E2484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:15.299{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF15556C76D37542FFC033D6829CC118,SHA256=43728623E2BBBE054A950D5B2FC56FD409ED3E42CC0B40510AB31717EC4F0BDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:16.299{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734F2F90D97B69D7F17E3F9045603D8C,SHA256=D433E5BAF9D28F811E7180EE36406E46CBABCA415B403E1F3010BC5B9F097B37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:16.200{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE283693DAC0ADA2261C66631B2C74A,SHA256=502F64BD9D28E0A542800D7F2A422049FB41D6B49D75A7CCFE74FE35AB24A57F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.778{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.766{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.766{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150684412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150684383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.560{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.232{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1D322F8B036AC2A797F172CAD46952,SHA256=DE6CD4E28D0ADF2EED528B79A063EA24806AB2BF462695ADA9F8230BF8D46950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:17.331{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A9E7284E8549859722CA7F34DA9468,SHA256=04DFC17D0E6C78FA40E20BEC1A347CBCA1FC299A647DB06CB9ECA49D080DBA18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:18.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F256714B55D05E153B602ADBD5628E4E,SHA256=FE2285022B0405CB132A19903750D8E51A46C4537E6A32C494B643D4CD1A53C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:18.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3645038F74E35416C90E5AB77F6CCB5C,SHA256=4F955218EFC304B8E33CCC17D83968B2F24AF603FBD1B6D99CEDA8F08129E04F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:18.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF6FC3E46F91021674866D61BF3A5C3C,SHA256=674FC27E1A7DAF2B4DC76ECD47A0957BC5AD067EFC26973CF3B732015D3A07B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:18.346{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC0C2C2DFBDFE7E0F39FE2FCE5B388A,SHA256=D1661161E50B138C98E29AD5F719723BDDA4A749699748E2A859B1AE3C1FE7E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:19.638{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F346746B43F7BDFC1EE290D59E0355E1,SHA256=17CCC626A300BA19CFF59A961D71311C90B01830EA000997FB946B0E7170C1C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:12.687{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54102-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:19.424{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1D3E708275D43568346B5AFACC4576,SHA256=F50016BA1AA17575C46483520016A3B6EE9A38DC75CF0C0B6D8B62C4FCFB1A73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:00.803{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59771-false10.0.1.12-8000- 23542300x8000000000000000150684434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:20.669{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171FC1F6D223493DF8C76E15E4C611C3,SHA256=CA74CC9E618C937F361702C4D06A620A6EBEBD147EDC093658C665573FFA4C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.940{B81B27B7-BB48-61F9-540D-02000000CE01}28964920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.706{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.675{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.627{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6611C630245334CC07DBFDB1389FBE,SHA256=2DEFF47C662CF33992BF12D9E65747CEE5D743722975157CA7F21358419DA238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:20.310{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E3D778A571AD3D77484DC38CCF9E90E,SHA256=CF12A599D50262435857A1095D9940691C745B4374A2C6CABB2758805CE7834A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:21.700{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440D5AA7B8558D5EDE8F4AAED3649C93,SHA256=6056426E1599601E9E695CAC07017ACA70840FAF24DB667AA4074EF86A1DDD58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.817{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.690{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DF5C406D02430C957A0167562AFB51,SHA256=3829DFC70FC2D4ADA9E06BBFD893C8C99A84D09674E13E0B50D904EBC01A4493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.690{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A734D5FA96E5C586B4E1BD6E889CB597,SHA256=577CAFF995FA661EB5502194D0ECA99FD2229B5D7728A39E369D2B91B3FC2720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.643{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C90FC4631DB4EA8145BF0D48B8E023B,SHA256=83528FB2674826BE088579FB004BA8AE15131A612BC2D7A911F115365B7F32BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.440{B81B27B7-BB49-61F9-550D-02000000CE01}12123512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.191{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:22.716{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDBCADAD955DF46BABE94B915B2A477,SHA256=025F029F0900CED38C0864AD2F11E4D480E2D632ECCFBF1675ED76150DDE7590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.831{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DF5C406D02430C957A0167562AFB51,SHA256=3829DFC70FC2D4ADA9E06BBFD893C8C99A84D09674E13E0B50D904EBC01A4493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.690{B81B27B7-BB4A-61F9-570D-02000000CE01}8524904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.659{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB9850B12ADF5935636BE561BBDBD41,SHA256=AF8E6364341C58F8AED2097AA3FDA2598E2A92333EDDA8D01254D12229D46FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.503{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:23.737{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2D96757BC361585E70B5A7C723E293,SHA256=9278E0216A70965C5692B283058B266B750F6F31E8263794310496A23D964BAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:23.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011F44B45688571ECA4793937369755B,SHA256=8E4A640A735104BF8E8815259F99DCB3EBB496D1A41DACAC1A4229DDD3780ACE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:24.893{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEECE1055417487F1719733D32EBDC6C,SHA256=3BEF442406B644FC9A0B2A3E37B9F58F5DE3B618CF5D3F3795F187B53CCEC422,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:24.747{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549AF98E10F27645B4B321280498494F,SHA256=06F19F53C0934BB92414E4D0618F930F5672798B156A4F7CE83240C0A11EABD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:17.734{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54103-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150684439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:24.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C7AE5156611CF4E142BEAA2B391DC9,SHA256=B974DC9B8ADAC7BA4C43D73831270A9DB220F5A625973F8D822C1A6766239A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:24.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F256714B55D05E153B602ADBD5628E4E,SHA256=FE2285022B0405CB132A19903750D8E51A46C4537E6A32C494B643D4CD1A53C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:25.763{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D661588C4065B5F7416B6298A87281F6,SHA256=AC3743FCD4F8D3A35F1F98406FDAF9F69C346DDEA8F07373F182982352F5D8B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:25.909{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F99CA7D3D28B3EDC0D540696C6FFA98,SHA256=251B8FE1C3FF2879B9B93F9DDE48C869EFA00F5CDDB0C9871C4670EDAB744A45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:26.909{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CDCE4BCACC452151F98C21A1FA34AC,SHA256=9F56783EA8440562D139FE818614ECDB7295CF4B45790508FA98BB3CA3E42B1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:26.778{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08D558B1D67031C3AD348C5628A227D,SHA256=EEAE7D79F5F558E22CBAD2E4FB1256F4F3DDF5F8F921CF2619A22F885D8726CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.819{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59772-false10.0.1.12-8000- 23542300x800000000000000071087315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:27.925{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367EB09DA8BD26118696FFF922AF215B,SHA256=DF168B55C4ADFD8D2389F7615E7255C93358E814D6CC8018488582FDB4B85DDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:27.856{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5784DAB8FA245403695551A18B6DBA6,SHA256=63E3DCCB79129044DF457A3F07076040C86BFBAFC3FF266E4704A0AA51589A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:28.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99AE2BA414A7B35CB13BA3B1E335E229,SHA256=2653B0752ED48054EF7D2CEC8021FEB767D3D4CFD3887085A28ABC6E6EFC8DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:28.872{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE5E5159D69BA8F163F1D88AB0F5B68,SHA256=40541E654F764221CC46988BCA8E493602C1F852EF511252F0F8B9624E48F3E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:29.935{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D5730FA5C2D5BF2420F4A3E870750C,SHA256=4A6EA0335138BC31C1F8123EE4D774921B536B45C6C7BAB3C10D9BF9B92688E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:29.956{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68087B8B333D1FADDA18773D24FC4BD7,SHA256=E1FDC21C4DF11A6E75F7DE2EA05617E5B0C38CBE422D540A31F0F2D50110C6C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.812{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54104-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000150684446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:29.216{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 23542300x8000000000000000150684450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:30.981{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4D3C4053738B853E4B0689D1698E3,SHA256=2BD517F6F598DDB83F9A872E9F354D7EE6F7DBDCC05A7475B34B28408B16C891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:30.971{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D18AF57C3938D99D1DF9D82FAAB2052,SHA256=894D7B52CEA404BE997DFE7531183668BF6D91E483F5F2D3C5A3FC2FB070406C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:30.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316FC2C0C0A697B319CCBB0D800FDCDD,SHA256=0EBC91635DC32E60B29EE06D5032632D58C35E3F4FE3AC3D1058461B42BA7822,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:30.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C7AE5156611CF4E142BEAA2B391DC9,SHA256=B974DC9B8ADAC7BA4C43D73831270A9DB220F5A625973F8D822C1A6766239A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:31.987{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49106DD9D500670D4B14A7621E800F2A,SHA256=1C64CBA035BF98C05C4CB0F1CE646E6CDAEC12BABE5D3E9C18B641CF4754AA57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:12.693{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59773-false10.0.1.12-8000- 23542300x8000000000000000150684453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:32.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316FC2C0C0A697B319CCBB0D800FDCDD,SHA256=0EBC91635DC32E60B29EE06D5032632D58C35E3F4FE3AC3D1058461B42BA7822,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:31.997{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A154A0D15F691997265557E243700BFB,SHA256=EFD8D4B482E85ABE088DFE4A57D0BC93649AE84583C2D93BFD6B5587945D66B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:33.003{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D9D98D001DED4C89CDCCC8EC00670F,SHA256=97053F04944B75199DA41B0CE8FC5A2A298C17DB170E2D59042FE4AF5A636EEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:14.819{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59774-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150684455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:14.819{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59774-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150684454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:33.044{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9D12B699593F22E0E5E435B379DCED,SHA256=01A5B5B3300148ECBE8460EC9DA4E82F27B5C436C7DB0B0E6F8EFE54492880CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:34.060{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE75F6AA688939BB0B59343329F0E8D,SHA256=1C5945EC020B9A4E5E9FCB23C92C8054EA33DB98C726F9FEDEE1688237DD59C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:34.018{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54129FA7CA4E4E83A799D6967E6CE03,SHA256=B4646E66020CEB7C77B5DF12CFBCDE059BF4D8E6758701988319FD41439153FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.818{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59775-false10.0.1.12-8000- 23542300x8000000000000000150684487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.278{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB607F86CCD7A662C099A2CFD34BF11D,SHA256=15D1881636C431F3B6C88F9A875C4031885AA4BEDC0A12897296373E16A76E0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150684458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.060{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19907BDD0BB7608050533B35DE9FB39A,SHA256=9D2AD2A7579E35B8F226D484A092F6A84BB80ECC90A73FE3D243235ED66FB72C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:28.720{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54105-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:35.034{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF65CE5EF33BA1B0AA62096042BEFB7,SHA256=616235CCF69FE60179B5DF4ACF20756E1681D2082430A4FACBB5D0A299A78EE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:36.497{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01ADAF57D4C7F567086A11DB20E37C0,SHA256=C6F9EBE561225FC05C9352AF5CA0F3AB246B17FC5580543D7D3D360FFEF44F83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:36.049{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A11EE703EF5C027D6FA93E3F1D3EACB,SHA256=3971EA54A261E50F4598BBE9CF47EDE8DC13EBAF234DC9159A4CD99C12560123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:37.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA56DCED24C0500C36EC2E9FFE79BA25,SHA256=377399D8C30E5B40687FF62C74ED9A3AA92CF191EF5AF8AF25CAF868627D5E18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:37.049{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A919267BCDD91C9003326E220C479AD8,SHA256=2EDFEBDEDBB2CA5549651D41DB1A2749A7D3AA1E38EB6178B2B2DE5852987CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:38.747{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8F427823B98603DAD7704FCE1CA432,SHA256=B6ED41873C354F3E9A785A4D8D08B4483FCC04D01B02DE447A661163A9C01A1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:38.049{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A2533F91332E1602984DBA556D73E5,SHA256=E93C0E3FFBFDEE112F529203EAE5AD2215865DF264AC3A046B37767934C78BCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:39.763{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4809FF4C8CF5398768052C9603E4B8B4,SHA256=442B3BB55614B35973565DDBE11226B061D54950F9E1D1240E6A7EE86F265BC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:39.065{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C146C8CB20A569C4FDE2EA1E3B05A76,SHA256=E4B3DE6DE8F9FD6FC73233F715B6F471FE1855521C31FCDE77D4CB81B3A00207,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:40.810{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8B222AEB6E58C53F60B673F4BD5081,SHA256=E510C8E4C546F728630F04B348112E5AF84070C5C15672BF6894AB930CF3ED77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:40.065{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153CED2070548F1854CCB0564497E449,SHA256=859C96C729F55B6AC07251953AAD3E0132CB21150F23515061BFC0ED31699DDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:41.841{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF384E4C0D0FF7F33716D452F30EE84,SHA256=BB544277A4D701ADD154D367ECF788E699FA755AC978081482E594E9B176903B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:34.703{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54106-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:41.081{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF6A2696F23037283CE1380BB76947D,SHA256=F4852C8FE83F1F5FE540C2B1A8DFFCC3D08A0A71A818A005C87564D5B6D84B85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:23.740{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59776-false10.0.1.12-8000- 23542300x8000000000000000150684495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:41.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70FD86D6BFC087B409B838E5FDCE5BBF,SHA256=E85973D39C771FB8A4FD7402E7D607DC6B636BC3110E6C8888F8DF784A3ECAD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:41.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BB64E3C3FD9F29405E39FA3B914DF8,SHA256=AD5CB17234DB6C4B3A00DD946E458E1A308363884C27710B4790B5CDF83B58B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:42.872{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68D6F00EABA8C62CAFE35B859EFE03F,SHA256=2512DF671B5A1905BACD6E79FE38FA83AB57A02D2E9F386483023E89A3AF0CAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:42.096{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65A0DA523901FAA9005400330FF26E2,SHA256=82D221E82E67ECF93E618FD6D2CBA07307C8B3347FEC4728D555942AB59233FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:43.888{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1928E7E92FDEBA62C433378F309588D7,SHA256=5E99EC57D6306A653D27FC93393803A81CF562D50165246BB6FF559DCD1E3C9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:43.112{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B243BB1E3BCBDEF500FE81C5CB01996,SHA256=D1528C5BBA67735649CEB6174735DCF4BDC05A5E1CC7915A756AC28853DCF1B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:44.889{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78886D151FA937023839933C88CE72E1,SHA256=A84CA2A9CB5C687D466B90726E4247373228184A0DB3643A91B40FC708D82F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:44.128{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D68861CF8A237D220EC2FF663A0C2B,SHA256=B643CDC2F3ECE7F9F0179CE1FFF89EE57353D1033C2ED189FB794D0B1C36A590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:45.902{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488574762FBA410EF023B25F4AB208F4,SHA256=91DD925B9E97D00070F3BFF8603F72C7EFC9EA788A6A5A166E0D2733F8187C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:45.159{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559C925BBF4133F8B64962E800750375,SHA256=C7935A9F5EA5D6C7E76F45B51677D23C63533AFCE3F46E4DE71C972DF701B5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:46.906{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A1A9C1D25F39A886B55DE9A29D01DE,SHA256=1CEAEA63868D81C579BC2F6779C4E368AA1DBE49C602AAC00ADE3765FD0FAC1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:39.827{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54107-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:46.268{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C35940F9F42A05B702F0382C6C96E8,SHA256=633BF233A5BBA67E8110D886666FDF4F24F4F3C10D1C7EFFEDE174090FA78686,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:46.159{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.922{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7A183804D41788AFE430B3C5881EA4,SHA256=F8F601C4F34FFD2C0147CB94BA2932C39F5176C377DF9D4A62F22102B2F488BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:40.812{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54108-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071087339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:47.268{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467239DB132511E56607068FF46E9AE9,SHA256=DE4B5460B3CCD01997850B46D6C59AB4B7D6EBD688614BFF34B9150059AA03F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:29.634{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59777-false10.0.1.12-8000- 23542300x8000000000000000150684504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760CDC809F95DB43CD546D9E1A37781C,SHA256=6F52E34E3CB2EF3A65B724AA216E48593FDAAC134C29496B629A521609767282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70FD86D6BFC087B409B838E5FDCE5BBF,SHA256=E85973D39C771FB8A4FD7402E7D607DC6B636BC3110E6C8888F8DF784A3ECAD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:48.969{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528FCA65E3DF6229135A385EF0521942,SHA256=3A65B1A747E90CDE45CF4128BCB6FD537169B852510BCBF7D425746C6E9E515F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:48.268{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED42A0925C5BF423FC4EDF2E166F7C62,SHA256=9D66B38D04D92FC243FF38F08B6E11266EFB761B4CBAB264877CF126DCAF647C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:49.299{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09414BD2B7128389A7C151C5242FA266,SHA256=67A453A8C42383024D91C8F16EF923D28A29EF9FB93C7D2B85B3289CBA6AC9E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:50.362{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C1DA6E1C23C8806C1CAD99D709AF3E,SHA256=FC354A26DE795D505044F77428EB55F75537AB1A408A42AA0C9ACD614671A9FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:50.016{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FDE5C1FF9D6F5D3F6697F42C9B5EF2,SHA256=18C7FF37321A3E7032A0C2A0CFB5FD99341EF3DB1168999C976950C58B042494,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:51.503{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF17ABCCE09B0D03E2E7A1651BBFA29D,SHA256=99BCBBCD6B500A37333F39670B6B5E9524957D8472E6A54F1C99C4E2D5FC08DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:51.016{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56DA32703BA27265541B3FF8C152A18,SHA256=3E9A7E3EDE9458EE45D0D88D0D9195343B5AB669906DED82369AA4BFA70C7303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:52.596{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3515F35F817302E633D814240268529E,SHA256=1EF05E9867891B1929AD5C059BCFDF8383508E9184DF5EECDF2AC09922C84DA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:52.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79F17C36FC5936D14625E1FA44D8491,SHA256=4EAB524048A7A828AACFF3A9BF86F36BDCAB68B06A5FD0079860718D4432DAF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:52.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760CDC809F95DB43CD546D9E1A37781C,SHA256=6F52E34E3CB2EF3A65B724AA216E48593FDAAC134C29496B629A521609767282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:52.031{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F96FB2665B02418CE6EB81791AC2702,SHA256=D045949031D7C6B5976E99D31749C90AA0D93DA18AE9E9AB0D1A084E19B84A0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:53.799{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61376B8BE1CEFF0AD334AE4A73C27479,SHA256=FC92C6B1ED6816170AE8E8B1B24EC6D8758D382A246334CF5D5995ADC620887D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:34.696{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59778-false10.0.1.12-8000- 23542300x8000000000000000150684514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:53.063{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:53.047{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DB1CE57413EE6D247D5E9C08E725DA,SHA256=B4C41BD542FB8E22597285BDDF53B8884BD3EEB463C386D25047CA66EE712B80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:45.734{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54109-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:54.799{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FA8CCDED289CEAC0D3C831CDF82A95,SHA256=320E6F0D4B38DB6A1F6ABCD627E9DF63FF452B18756A25AD0D434E77E3716470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:36.618{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59779-false10.0.1.12-8089- 23542300x8000000000000000150684517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:54.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79F17C36FC5936D14625E1FA44D8491,SHA256=4EAB524048A7A828AACFF3A9BF86F36BDCAB68B06A5FD0079860718D4432DAF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:54.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187FCD384503336A7F4E8892FDDC01C5,SHA256=2F2A84D05E6A07D8E807B6D64487977454D35C08B247572C8E14CC4B6D73547E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:55.815{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55BE3DD980A6F2FF4B8368C89406751,SHA256=2F644F5D977F9D2542E7971D539596035169511D945F053D187BA5CB254AF882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:55.094{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D286B95D2A459307C5975C1EFE54EF,SHA256=8DEA20A1050D436ECF265E6E9089A541BE4D4A5DF17D992B2721249D0178CDDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:55.628{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D8480B65E9E02EE455AF172CA46097FA,SHA256=197D3756644F7E6C1704FA8564BD35C9841C1CB21F2B46D63F1E6C7348075215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:56.831{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320422EF10AD5DA1A79FB3BC99027287,SHA256=07748E50B0E5EEA6FE21ECECB3007A0CDD9C93D11E5EC96C9F22AB656B82D0DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:56.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403FC4F665DAEC49D9CAB21F446519E7,SHA256=4DE635CE27EEAD9D3983026978F3E8C746AB73171931B3D7E0FBA31C4C240D05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:57.831{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD8D1865BEF57AEACA5A8212910A0F9,SHA256=53CD36CDB9D3AA15F0B30527A9F11627B9EA2BE940B1AC40A148E6F947982F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:57.156{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC20B990AF7F7F44DA7D4AEE0AFA75D8,SHA256=549C9653BFD1DD38201E0D7F1F4DD8DE25772517675ED02E42F6B57CA43BFCFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:58.846{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896F99FC0820C6794CC8CB7A90326DD2,SHA256=CB7554586A991B5F0CBCF00BDD860EF1ACF4A8FF67042AD26D3B3A86B2CC8ED8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:58.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69B753114F6E2AC12C153462AEA2761,SHA256=02659234AE158162F18B7CE6AF30E12D821FAC9AB9063AADB150DF785D01C6C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:50.812{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54110-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150684522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:58.094{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F61A368DE3FF36277F6E1485BB75A20,SHA256=23E0AC5A58AF204DDA63538AE551B618AAE747640E4D858568B9C469E046D3ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:59.862{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893F09B49A6AB5C333979BEB9311C4E4,SHA256=28678F1A9B2EA5C6540005C531A34A537ECD063C7023FAA132E4A390CB83EE6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:59.235{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE350D685D6C7C8D5E8B0F8044A60CE,SHA256=48EDEF0BE5D70B423620D94D83A9E93792BAB6F69E09BD917594A9E6A6395A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:40.634{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59780-false10.0.1.12-8000- 23542300x800000000000000071087356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:00.878{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619D3D5C5A5C844001086FEC5C39E283,SHA256=8AE9E02D5062180C67DE78A46CE19F19E9685FC9A91DA1B4D676EB942F00E7EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:00.250{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF09C7E11C29BA423ECCD3B14F762E31,SHA256=8053FBCD59550BC692FB1A7E6A7BF4E1A93DE03DD499AB2AB1104AD123D2FFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:01.893{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5E8B1AD94A1621CCB96CF3CC0B8EAD,SHA256=B13A9B39D4795502726DFF17FEACACF98D7A47318320EF3429E135410887A967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:01.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7653D5A67E965E692CCDF636430907A9,SHA256=3346142123B48DFEB327D7D47695E29A15E3E5BCA99C995BF87E39E3A6EAFDE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:02.909{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93C3DBA9B966AFBD79012A0499A62FE,SHA256=FBCE9C5DF910144CCDC663126FC64740BCA06C78726C96C95712294347D0EC0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.969{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.969{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.969{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150684541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150684535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.782{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.297{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068B0725281971510BC4203F5E0F65B8,SHA256=36A532FD3A84EF243D2ABC3166995C633579B0E95AE42D57DF44EDD6430DB7A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:03.925{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18BC39C1776BA86F04C179A6FF03658,SHA256=27E0ECC1B3A412FED1CDC2192A00F422D3B33D3FF470CEFFE963695785BAA19B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 10341000x8000000000000000150684633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.641{3BF36828-BB73-61F9-910D-02000000CF01}53645700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.641{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.625{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150684589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.410{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.406{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E6700D0FBE3E71ADAFDEEA72A624DB,SHA256=874A77B3955161968FC954D55FBEDC4228F03C01456E8555E116153F55CD2153,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F17A79450BBD4BC845C10409B10615,SHA256=48E76552F652C5D532CDDA5931A85B8382DAC59B5B71BEEECACE473D16F12033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=154D0DCA17CDCA5738A0EB2691C2F438,SHA256=FCFC34C64E48239C37740FAA6C4B43E162829BB80A097746D24B4B88E2F1081C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74FE8FB89CAD7294454D27066F05F8D,SHA256=DFABB1D69D75FBBF39476586115E50BFD637C61B23CD3E9AD76FA8EBB36A8E93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.781{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C9B6FBF068F47A4936F49410B099842F,SHA256=17C8A366704120CC6B886A5915738B19B8DFDD406000AC562AB8E81716216871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.781{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C5B1C032DF695FEC315AEDDF5858D3E4,SHA256=30045EFBCC4F78025F4178F4CF33B6FAA3B7E8A4BC91BD249C4A54B9337DB344,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.547{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF2C5B6976ED0DE8338FBDE81422F89,SHA256=205AACE8138260AA66C098E1213F3BB44779B2C7E2D1CCE6100AB2ABA8AC02DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.362{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.362{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000071087371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000071087370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-BB14-61F9-4F0D-02000000CE01}50205068C:\Windows\system32\conhost.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-BB14-61F9-4E0D-02000000CE01}24002204C:\Windows\system32\cmd.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.323{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exemimikatz.exe "privilege::debug" "sekurlsa::tickets /export"C:\Tools\x64\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071087362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9755226DC2640901209D1D897A7B03D4,SHA256=96EA9FAFC0A2B52B957BE923F6D92D8DD832ACC3562C48AF007D466D31813211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84D0D30ACF44EA8EB1AF396CD761AA74,SHA256=A62F638FB53819C3CA5F8C741962FD94B0D2A2AA8C31A6B432C33A97A5488557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:55.890{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54111-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150684639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.422{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F17A79450BBD4BC845C10409B10615,SHA256=48E76552F652C5D532CDDA5931A85B8382DAC59B5B71BEEECACE473D16F12033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:45.681{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59781-false10.0.1.12-8000- 23542300x800000000000000071087376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:05.957{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD72970119E3D415BA503B2FE51049D,SHA256=AAA915C8D31415593ACA4BAF7819A282DFEE9F8341DAB5FB97DEDEB6424175C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:05.563{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF9FD9EB0C18C35C24D274BD984308F,SHA256=685A95B938DA2B54D9C8AE98B3C8ED6677A3467618307992E247BE3BFCACEB26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:05.346{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9755226DC2640901209D1D897A7B03D4,SHA256=96EA9FAFC0A2B52B957BE923F6D92D8DD832ACC3562C48AF007D466D31813211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.357{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local59782-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 354300x8000000000000000150684645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.347{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local64682- 354300x8000000000000000150684644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.346{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62571- 354300x8000000000000000150684643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.345{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59322- 23542300x8000000000000000150684648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:06.594{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D1E160F40BC5C6814E544024E3F28F,SHA256=DA7E2AFB3C7CA2818EB0B4428EE0AB98B63BF93BBCEC8CDF6AB1EB8C75035150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:07.610{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95EF3CAC10603B44A8874F8EE39E240,SHA256=DF28D754523E558DF71012009E64013E360F66A1775299739906CFB65255054D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:07.064{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86B3CC7A13502697E231FEF4C812ED9,SHA256=F0679D47C2DDBEEFEB2FE420656A279A935D0D9CC888597B3E7901A264B1874B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.969{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A0991DBA405642F31B98A5ACDC6261,SHA256=E31A076E6E835C526FFC3A53D83B7CB43963EF9CEAE78FE8CD66ADA545E1DFF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.703{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.703{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.703{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000071087379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:01.733{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54112-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:08.099{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D84A88FDB98088F5E3D60B1A4A52F7,SHA256=ADD2138F457EDF95EF134F00C4F73DFBC8D79C1AF0C537DB13802C1C6A54BCCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150684692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150684670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150684667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150684666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150684661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150684656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.517{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.953{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89F4DBD11F65EA99C64D7072BC0DA3D,SHA256=DDAA10DDEB6E530A249CB4335AA96D2BA462FFC3DAB614134DA3BEC2E83AA5A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150684765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.892{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.898{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.240{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.209{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.101{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06F9DBC055BA219446805FB97820755,SHA256=ADDD2C9E412A5113D05B52D750B0496215934817B5B027B39FD260C06273E60C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:51.727{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59783-false10.0.1.12-8000- 734700x8000000000000000150684757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}20285980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.204{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.203{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E96330CFDEF0F613F1978ABC8079B17C,SHA256=EB1CBA191EEA5DE4C112CB35B3FFE53655F6A528DA3D47E0E3D8B371EAE742A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.771{B81B27B7-BB7A-61F9-5B0D-02000000CE01}18484648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.584{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.209{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7B013A01295F3C1EE049ADF9DD0F9B,SHA256=B2F1AC755588D41845CEFD60FFCF3D3F2365E7E94EB07C232F3936FF0BC7E9DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.209{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C753412D08E0C9696B4C00140FDF7B76,SHA256=6713059A0FC85ABD5C9D3839A9E1CE55F864A2A6CB0AA3671885BBCEA45C5BFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}51721628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150684860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.672{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E10C19EE9AA4525B7E8B79E7D36C86,SHA256=AAED206404B14DE27F34D35200B9C2ED39416ABED6B2273E4ED1E822303CEF33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.579{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.219{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C608C10A87CEAF7A48A18A8B4AA335F,SHA256=F6550B6B74B2E7B72DCBCBCBAAF4FD3E1CD4F702EAECAA4E237D424143256A15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.078{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.078{3BF36828-BB79-61F9-940D-02000000CF01}33403772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.063{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.063{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071087409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:11.615{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17A9B70C6FCE9F5EDE343790D7691388,SHA256=2273CA48E18F3F5A114B154D7B90AB5A36581F8C2D367960FB6729DDC7065344,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:11.256{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2198371938B570BEE1323AA69370FFC1,SHA256=EB6211B652C2C654D70F4A69DBB9EFE30DC2E0170445C7FFEE431901748B7F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:11.625{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE2F4F82BD847F347320411AAA10BE6,SHA256=189F9EE961A1E9D23D4F7B8761E25752FAA4066B47EADA1388C224EE0307F047,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:11.016{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C2E97ACD811B740A22E6CDC799F53F,SHA256=A94C73C596DCAA4C82FEBDB6AE005F79505FA0271840A57023FF0AF3D16DEE6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:12.318{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C3A332436CC8E93D9CBAA5059D0436,SHA256=5FA4191C7A1FB914D21972C7AD2FE7B5AF561F8B63CFE336A1A13D167CEF7586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:12.047{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED589656A827731EB24044A5AE89DF3,SHA256=0ECA574C3E6B16EDCBE48268392BAFC065CE764B3E5CA53004DAA376BAF5237D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:06.831{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54113-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:13.334{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FCA908787465EFCB15A1385AADD400,SHA256=D0E6DF938DD190EDB16775B574DCE2B8E134A27177C1A0DF7B2BD21CBF47CCF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:13.063{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1DED9D167B8864F9AD4BBDB9595451,SHA256=C0147C7BB1B3E7FC69DAAA10BB0EFE1BFAED518F4BC265E7E1FE5927E77D9D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:14.381{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1411981F69FDE3E470364204775D453,SHA256=73EFCAE0797912053AE6C8E057C82E5F13EDA4ACEF86638321A0747F82AB160A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:56.805{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59784-false10.0.1.12-8000- 23542300x8000000000000000150684870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A627AFB556951FB3C7513312CF3A10A,SHA256=B9AC40D05C596093280F4B8056070D9F273EBCB425CCD3F8745FCC54B3030133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DA57A87C3A41377134CBE46688FDC3,SHA256=F9A68B006BBDD7DDA32A6841B6F9E425F408250B3614736AF8A7EEC90C67A7AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:15.412{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06D6FD1167966E7BE753DE8B716C079,SHA256=E61D1899F487E1E40674B82D9EB6C13BBC3BA7E7D7AC4DC95E39FE4E7A69C6F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:15.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E664907F7B2E26600A3307A3AFACD708,SHA256=B2C7F5F5ACEE35716A87EA5A26F79F5FEB086C97CF01C678C5A2E00CCE667AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:16.443{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CE4E07E6D64C0623EFD135D55F5DF8,SHA256=940815CBE644DC32158AACA17257676E4E5399654319A867719A6B868C336511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:16.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277B99F4B6133D5A0CF54D575139FD10,SHA256=31964025BF9EC31B0FF92CD1FCC52B1FD1F3C4AA4A8FAB95A49474A69C77C1B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:16.084{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E0791895D43526AC30B324FD791833,SHA256=26649E112FA849A7345378E0925C81B3A86BC086C46D0978AAF5407ACDA6F81B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:17.459{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907184F9B3AEA10799E74602D0E719AE,SHA256=4811ADE62572A4D83022A2148E047BFF7B3F02E874E53A2D7E65DA25C5EE485B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.641{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.641{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.641{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150684907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150684881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.454{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29343547D1509AF094327DF2520D311,SHA256=1B2921393B1396FD14A86C893323F78306C3DA12B4778DA750E6D777A86D820C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:18.474{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C31ED75616928C63790DA51753C6A6B,SHA256=C80DA33894A57372EFC6D5247263A4534CA6AD00C614672F0E45AE8FAE9EBEAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:18.594{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9715AFF4D06261EB29F8B2379622B0,SHA256=AC575904952BAB5587C18A7F389251C3A22D6F9462884AF75B6C353351FBE0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:18.594{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F243C7D6BC4DD488CAEAD324790155E2,SHA256=A75D270664BBC7EE885CDD65FA2F18D705CB72E0A8AA819E2AFADB04BE662C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:19.688{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15319B684F4806214C9DEB9B88B7F9A,SHA256=3DB20073EC0481CD0813FEA593A2EE34081D85406B743F3443564071026A0CC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:19.490{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A54A11409D91617FA70D5F9C697E589,SHA256=D59D1F53E57309617B3A8FA676D212E296CC5566ACA4674E00DA6B6B2A54DC13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.633{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59785-false10.0.1.12-8000- 23542300x8000000000000000150684931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:20.719{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C58BB4803F3727F0C55272D5D8CA13,SHA256=4B31F1A54A425F2FA2F96704BC2C5D1051BE3D5905CB34A42DF657A2422A5865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.771{B81B27B7-BB84-61F9-5C0D-02000000CE01}38444040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000071087429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:12.752{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54114-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.585{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.506{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F111643FCA30028877D1A36B5840ED,SHA256=82EAE5332369BD18D8E8B1FFCD06FD12B22DC414C7D14E93AAD552E49F9D5C00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:20.313{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=63B7DC5AF504CA6C904F20B6802486A1,SHA256=38F3398077904C7AB1D88E404F668753086D6EF1D4F1EE9BE5BAA389E9EA5168,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:20.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B30B6266766BEF79C90F6D703EDC8D,SHA256=779F8F290E15C170BD9F5563624A2CDDD01C6B9D6D92E52FC825EF9A9CBF60F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.959{B81B27B7-BB85-61F9-5E0D-02000000CE01}8681180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.788{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BA744B72A3F66E1AA4233E9AFF0D4C,SHA256=30C8E59ACA0A455FA5F48F5132D7B25616C2F7AB17726DF2F2D651CB5CC60641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC81433D76BB6BCBA7BF4CB3260E15E9,SHA256=28DC04FE75A9D36BC23FCDC1145AE32F53F34656EFFFCBE6369ECE2B00F75710,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.538{B81B27B7-BB85-61F9-5D0D-02000000CE01}41724920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.521{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEF34B0580CE464622EF7270A3525D4,SHA256=9E37D04D642A9F2EF445D80DDF2153BE70664E1A5AECB6779734610863212962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:21.750{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF1321861B4999D187B9FDC131A0A01,SHA256=648A062E5B3508FAA4938C8A1E2BE524C6DDD8D5AE4057C86E7177A285D672D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.272{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.766{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50AC68D7B4555129134C82BAF7089C2,SHA256=F96912B0A63AC3950DC80B976A26279CE7A46792DC56043D8AC895C79791BB8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.818{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BA744B72A3F66E1AA4233E9AFF0D4C,SHA256=30C8E59ACA0A455FA5F48F5132D7B25616C2F7AB17726DF2F2D651CB5CC60641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.552{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED95A7A25F87471E13B34B3503494376,SHA256=A24B426166F3FE6FA611A9B16D765A6A3B2450F1BEA08157D335EC46F24519C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.475{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A168D2EF603D9DD8E0A936B314D438,SHA256=AE6B07D501D6EA4BD0037EE7C469A9E81215CBA403B0143ACF41FCD9CD1D3DC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}41405964C:\Tools\x64\mimikatz.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Tools\x64\mimikatz.exe+c0612|C:\Tools\x64\mimikatz.exe+c09e9|C:\Tools\x64\mimikatz.exe+c44c3|C:\Tools\x64\mimikatz.exe+85738|C:\Tools\x64\mimikatz.exe+85570|C:\Tools\x64\mimikatz.exe+852a3|C:\Tools\x64\mimikatz.exe+c7435|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000150685004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150685003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FA,IMPHASH=E0B17C1B749544B11E7164BC8880263EtrueMicrosoft WindowsValid 10341000x8000000000000000150685002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\dssenh.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Enhanced DSS and Diffie-Hellman Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationdssenh.dllMD5=A5EA01D6D9B688CD493DD29CE71DE37F,SHA256=EEEB71D41EA7C0DD4B59610965BBF2F14FABB25E52CBC1AB410ABAE4E403B160,IMPHASH=B1B3EAD9A1589069DFFAB6D2051D69E1trueMicrosoft WindowsValid 734700x8000000000000000150684999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150684997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150684996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150684995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437,IMPHASH=FD7877EA3FC7D2EDCA1ADC932A5034BDtrueMicrosoft WindowsValid 734700x8000000000000000150684990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000150684987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000150684986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 734700x8000000000000000150684985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\hid.dll10.0.14393.0 (rs1_release.160715-1616)Hid User LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationhid.dllMD5=DDEB02D7BCB0A346600A3160203C2C95,SHA256=77FD468B4C46A75312426E4368389057EFED233844CF1BC8468983EEC160F178,IMPHASH=A3D80A73BEB6EED1400E993AE6A5B1C3trueMicrosoft WindowsValid 734700x8000000000000000150684984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000150684983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000150684981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000150684980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150684979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150684978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150684976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150684975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150684974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\samlib.dll10.0.14393.0 (rs1_release.160715-1616)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=4C413FEDB1B88DA18059890CE0BC95D1,SHA256=FAD279CE82D1616A533D6E5D3A20543B51FDBDDE4C764E09F6A01C8B0E44218A,IMPHASH=BF11630905AADA27934CD5411323FA5BtrueMicrosoft WindowsValid 734700x8000000000000000150684972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150684971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150684970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x8000000000000000150684965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x8000000000000000150684962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150684961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000150684958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150684956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150684954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150684952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x8000000000000000150684951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150684949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-9F48-61F9-300A-02000000CF01}25045708C:\Windows\system32\conhost.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150684941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exeMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456trueOpen Source Developer, Benjamin DelpyValid 10341000x8000000000000000150684939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-DC57-61EA-584E-00000000CF01}10401044C:\Windows\system32\csrss.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-9F48-61F9-2F0A-02000000CF01}4924836C:\Windows\system32\cmd.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.155{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exemimikatz.exe "privilege::debug" "sekurlsa::tickets /export"C:\Tools\x64\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071087465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:23.568{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5AF03235A596DB38AE6811C9A2AEC9,SHA256=8EE764EE611CE37C031B49FB5CE4F859E6CEDAEA16EA912AD8384EFC47E564E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:23.781{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E35FA1D2508A8318D36A06E42647FB,SHA256=F5453BC486E7D29F571DF8CDE95E7BD458DDBA9FECF8B2DDFC170345571B19F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:23.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27254A3F0035F0F5F215BEF8B062BEFC,SHA256=9AEF3143A25DE46FB6DE8B80771F53354C02FAD387FAF941F97CC27BD2440530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:24.797{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4CEBB20387AB1BEF2E2B66C16D5A11,SHA256=2102D0781C8B1ED99541B4897B38B384AB9A3D89CB6F1777496707512ED1E0B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:24.787{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59494457CEAC620A8597B2CE89BBFE4,SHA256=9FA808CA708F8CC0CCDC5DC06D738F9762C0BE67075D636B69C6C4E53E173B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:24.031{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:25.818{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A057E6B76E47F242CF484166A9854D1A,SHA256=2DC2E772C14949E87764F05C6F8DA8EFF3A72CEE66D0222C8CA71CB97F432C6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:25.797{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447774AEF8487123F778447D10E867B1,SHA256=7A4B5FB9A7F2238B60ED37C5417BDC4B2A718FCCD12C6EB8A6A0818ACCEDBEE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:25.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBC7F174192EA428F427F94E4F485C9D,SHA256=E7024849E7F388C9B7C08C3104CC46B189F1FB08289A56FF1595D9C975CE65B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:17.768{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54115-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150685016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:26.828{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73424D34DE64387C9BA0B577F837C24B,SHA256=4420215CFF5E78E9566B785110717D1E8F6DFA33EF752EC2C8C4A5587DE45336,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:07.711{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59786-false10.0.1.12-8000- 23542300x8000000000000000150685017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:27.860{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3492957A21BB6888A301D73441A85464,SHA256=092D0BE89D1A0384652359D58B7D28C7C7C6C4CD4FB3900A62907830D83F4B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:27.943{B81B27B7-4B39-61E8-0D00-00000000CE01}8043948C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1600-00000000CE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:27.037{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C290EE72201020FC66AD48D8D989A17,SHA256=1EB338BB95FC24860751E4813FDF70091CE397B0E15EDFF14E49E6F4E62EF88D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:28.860{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995F78BD6313CD518D005EE6390F5D91,SHA256=4ECC175027E1A677AA94999C23A6B98817304416E72BBAC15EB679DDF14F4BE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:28.084{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689A0B5162835FBEDE51723CC81CF40E,SHA256=468FE4DA19FABEC82F0D992E5EEC9A0BD2A9E1B3CC05A7333FEB015F903AAAA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:29.860{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A966E07AC2AFCC7391C1E8980957726,SHA256=BE2BECC2960A8C4FCAD4B2FC035AD831B69D66C140EE40EDE4546E02194FB0DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:29.178{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1157C0EE1F6A7E1669A1C6F44849516B,SHA256=0A175F7098E975FF494653E768FE87EF7B3451DD6437EF77996CB9CD61DC73FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:30.938{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1E8794CF210825F57CB591F6FEBFE5,SHA256=3C77F073E7A7C246FE336396FFEDC95FC01639668099EDEA822E65B6CC1FE9EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.909{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54116-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:30.193{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217452E85AE0AEB6F4D6350448DC2FCA,SHA256=670A2E286387A3B95F6AD54788BE341C95C1CB33D503CEDE6043217EC86F671D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:31.209{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D458B41A022917801745DCD7F812384,SHA256=187D2EBBFA1547A7EC3A608E3F772F809FD66E29D46FADB160EEFFDC883E01DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:31.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6313D7E7FB6B706AF5372F4B50C3B3F1,SHA256=85991755F0558C6ECC8253A57AECFE6E6910FAC5133FFCBAE4B92B02714F1DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:31.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBB67D4803F5359A0D1C47BB16649EDE,SHA256=2047872672BC6A27B195892CD5FD880D24ACAC892D56B015C8240185493A78E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:32.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6313D7E7FB6B706AF5372F4B50C3B3F1,SHA256=85991755F0558C6ECC8253A57AECFE6E6910FAC5133FFCBAE4B92B02714F1DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:13.664{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59787-false10.0.1.12-8000- 23542300x8000000000000000150685023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:32.032{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2753475E7CDCFDF76E5DB02B36C5ED6,SHA256=12347F5CD5C71D77058C47E042DF0D51A579810BDEDCDAC4F591AC1A2769E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.224{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CA675C9E78A238D2737A0B5F09BF7F,SHA256=093394A6BCDBCFFDE886E8D790F3062230FAC85735FD7672FCA86528CFBA5318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:33.224{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2B12B23EE9393D0B6E70DE984374F6,SHA256=922263AAB958AA865209E0540050A85B1085B608F870E324A2C6BFCB1AF772B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.821{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59788-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150685027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.821{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59788-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150685026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:33.032{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC65F85A47D52C8D448F1EADCAED90F,SHA256=1956F4F9FD9B1C4A31DCADE57255578AC408544ED7FFA0ADB25F31F0C113A2AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:34.240{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E314A298C45EA452B99E37F3EDB131EC,SHA256=2DD704A3424559C72E522ED67F2F9174181EC477A3E0A5EE1277FAF37C301BF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:34.047{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DB639412F56566A579C688DAA5B45B,SHA256=37884B97A5F31A9CE20EE4708F85FAAA5F1B5FA177EBD69386F060C9C83D4BCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:28.752{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54117-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:35.256{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB03B5EF3B64A02D1B340B1081F6FED9,SHA256=EA60D123270E5031D61E6D805166897AB50B35FDC1C8D31B25873115E1E1D4E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:35.063{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF37EAFF19E2A638F2FAA4C6DF75184,SHA256=E8836FE672F9AE876A5E07B7CA57782364EE85BC26A546B1BC926972A8A1B126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:36.287{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446DAD019D115A3E8EBFAEA8F63A890F,SHA256=ABBD9E192EB17D33B225E0DA83D55B9127C771E95F666D56F999E71C139B5FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0734C62ED1A71CA88EF75E1AB6557EBA,SHA256=52209BA792D5D99750DCCBFF3A67A61301AAC33CD6DC6CFA2B702C64E9F214F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.063{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F59420627FF9F9637EA1601F686177,SHA256=4D4194B3EFBB8D03285F68AD1289E6C4C5DF8556ECCEF41F76FADC43AAD483C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:37.818{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:37.521{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E98A3DAB192CEF05D28E21AB1407B90,SHA256=3B99EC00CCA66104CF2C55FF4E4AAAD7FA8EE5F945F6D46B63281AF8D3FCFA33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:18.821{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59789-false10.0.1.12-8000- 23542300x8000000000000000150685033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:37.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA087ADC04A4C695223FAACBB09DF966,SHA256=92BDF2331000973DB2B6F77EF254F54744F040FD5D09F659356003C71F835794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:38.537{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46627D457A0FE4082B37D5816CADC8A,SHA256=1AF4CC0356ACD2854297FDA5A753D3962976F7CAE59D5A904D615F722D4709D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:38.094{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90378BB6DF7C52F0E05819B569557509,SHA256=32443E8F47B26522A9A9A1DBE1AC5E19216F8C706D7B204A7FB8DF9F2742BD1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:39.553{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A102C11C6C3F74AF45C183D94CF8A1F4,SHA256=9862263F308048BB06CF42FBB69790C1293AAE224553F6AAD9AC467143D60C3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:21.688{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98751716- 354300x8000000000000000150685038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:21.686{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98765492- 23542300x8000000000000000150685037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:39.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6668E0746482CDD115743E00B5E6D00,SHA256=64C1471E1491EDB6D05ACBAD35A5A281758738FF540227975AD958EFC7EA0F2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:39.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D63D52FD7B8AE5E39FEDAEE5A0BA071,SHA256=45EA98DA50709153F5362E2EDB4C7DA095B1003E6C4F4C546E5F519DA9483119,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:33.893{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54118-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000071087490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B3A-61E8-1400-00000000CE01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c850:983b:9ce:ffff-62527-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000071087489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B3A-61E8-1400-00000000CE01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local62527-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000071087488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-987.attackrange.local137netbios-ns 354300x800000000000000071087487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 23542300x800000000000000071087486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:40.568{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6529129CEFC40018F2D73AFB95B2C43C,SHA256=310A73AD317CA21ADB230A1EFBADD4CDA3B66D6652AAB07D186023802EC6F3FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:40.125{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED7149D59D6FBD075995B1E9A8597E5,SHA256=759483056A806AB0389136B043A49544976C590DB5FED0FA1579AF9AA61E7B0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:41.584{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240224072B5EF71F7FFAC081DFBC88EB,SHA256=C9A37C118E0F6F50CA20920F64F1105277C9F412BFDDD0A46F51E64F7B20FDF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:41.125{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8596F914B171D05A2A3B1DAE8BC099AF,SHA256=D7FF8F81711E148043F40C9B03ED4DC395DC2A8763F83B834426D282ACC7CB62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.990{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.955{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B81B27B7-4B39-61E8-0C00-00000000CE01}736C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000071087493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.615{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350DBB75891ADED714134D73039F1111,SHA256=6BF9DB9110F1B289DECEBEAC35E0B467A5BD221AAE3A0D6ACB7E75DE5FD103A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:42.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EEA3CBFE642229023E7DE8CDC81D8F,SHA256=624F2C0CF980C90FDEE6A558439B24F591FAFBC9019C748F175838CB3B70134E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:42.111{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EE5607182B4AA6E3DA6AB1B5B209BB8,SHA256=CE002CCFF4CF5F80EA876A16C7A4386868730FE6A42D194DD55F22A59C3F658D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.959{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E31CF765FD57B615DC5E55FAB51CF384,SHA256=8B423BB81DF6B5B9C61B4920709722D9A0DF045383253A7064389A0D93AD2BC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.959{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAF19F7DCFC76D672BBADD6ADE3C0973,SHA256=EC9ED67D90711FDDF29389EFC7414E691E24BD822A6E73050642A5E1126414F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.631{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE56C1B1882AA092AD43C679264DEF3,SHA256=90B6F4E8F96D84A1EB4C82806EB53724CA08FACDC7388864A64AB3E7CB5A7978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:24.680{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59790-false10.0.1.12-8000- 23542300x8000000000000000150685044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:43.157{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3915DF892306EABE890D5CBCE7DCF165,SHA256=27F01FC8E974D016C9136F66FFE557000A1F6AB799667A6EF7817F5FADDD7349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.006{B81B27B7-4B3A-61E8-1600-00000000CE01}11962840C:\Windows\system32\svchost.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.006{B81B27B7-4B3A-61E8-1600-00000000CE01}11961244C:\Windows\system32\svchost.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:44.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36E5EAFF85ADF9208497D192344353B,SHA256=48CB8566726D51949B25F9FBDB3FF5A7ED234FC58535698AD78F418DDF5905D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:44.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBC95A4F897EDDFFB81C229627D7070,SHA256=9B9FDE4CADF62770D3035393147E02964713F8FD98BE255D62D1DDA9C8C6D339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:45.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AD25AB9321E1C3C891598A5BDEEB63,SHA256=85C56F1BD4879F6EBA11B903A96656FBFA7AD6574851FC5D0EB68CB54924F99F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:45.236{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7B992A5230C09CE7D0B1944619309D,SHA256=875A2359A0F9A30F5DE1E6B7D3C20AC5A16DA2A9EC8FF6D0CD7FA0683722AE7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:46.943{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:46.787{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F37235E591EAF450CF7BFE8047CC57,SHA256=6C0C069A4BC310DCFD123810429F44FC18661C6A2F7D939F02F3B6C7E7CC71FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:46.253{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69995015E0560B9033E69DCB54E5E89A,SHA256=B2C9974C117443878104A86811A9DEB7F8F1B7976EE3CCA4947788F4521290C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:46.178{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:47.818{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1369DCC4027A4E033C76F8F9C8B0C566,SHA256=D606CDC256C400291E626261E95667EA3F3A3E7A5D994C95F24E2E6D756D6D2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:47.256{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3633FA5F8EE0D3515E6B8B58B46AE4,SHA256=1E6C3FE5316124CFECAD5399C0B9B4C06618BA61A588C631137C11483A094641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:47.224{B81B27B7-AED0-61F9-B70B-02000000CE01}3740ATTACKRANGE\REED_SCHMIDTC:\Windows\Explorer.EXEC:\Tools\x64\[0;133115ef]-2-0-40e10000-Administrator@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1DEC3E68A35AEC92CB0E0564338555E4,SHA256=E287DA3CC5DE7FEC09BFCDF2B5E1A26BB0B65524A7DC28905CDA6D42B779E4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:39.721{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54119-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:47.006{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:48.850{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3979AE07681E4B700FFA58DB9FA1CFEF,SHA256=6D6F355647688984124C2D0303F096B557A915B90E810D0B1307F65D7E389F35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:48.334{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45519577A60B7FFC2E25C4F27C82DF11,SHA256=B8F5A0E01E2929B0AD31172ED1CB0C672D85C77184159C54413B9CBC818C6789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:40.830{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54120-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000150685051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:48.069{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44005E89A4F1C3F4ED87C703D1A2645A,SHA256=4E567ED3E722FD7C1C7E6B2F51EEB4AF00086A86CE436698051F84AE87DD6980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:48.069{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1702B1D434C9BBEFE4F80F368FF90DE,SHA256=B5D62BF0A8CA83BE3F4468EA82A6B5479A5D0A35C0A609E0F53FB871149C46AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:49.912{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1890B4177F41AB75374A9A1AF2A344D,SHA256=DB46C1453A79BBE5A7FF7FD8131A41AFBD914A12436C40ED100283296F54DC16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.725{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.725{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.725{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150685054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:30.623{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59791-false10.0.1.12-8000- 23542300x8000000000000000150685053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.366{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F3BC4DF0E3EDDE9E18D0641CFC9565,SHA256=9302DF9B082E7702F9B119DB9373293CCF04E5133F5E3172F41F03A150D64B4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:50.943{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3848FA3CEA6D0C82E21A602B03CC73,SHA256=7A7B7F745E9E1267715DAAEC10425A457C2AC5C9582B2986C9970F8F1E38C51F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:50.397{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD28CF76A43F91CE172D8C8A4B5C148,SHA256=206678F6003616381347070B10830212B54EB0B53118135B13E67424CFC1638E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.990{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD1C8DEA329B600EE97BC7281ED0E6C,SHA256=38D32CF62A1029C621891DF789EEF3AAF56D9C3528DAEFEBEF52BB5BAB95286F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:51.412{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5A2E204E440D5F5BBB97CA462D0DDD,SHA256=57C8ACFF22AA241D1AD016092FA29EF253FFBEBD03C0CFE59519847670460F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37404000C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37404000C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150685060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:52.428{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F19AE30C333635DA4C3994ABCE0F40,SHA256=28C5C444D0ABD3E8BDB808562E474BBD2AD1BF5D9AB7CC5C4FFDFAA6679EBF5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:44.799{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54121-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150685062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:53.444{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86EF2D496D15C85EEFD748E50D55F5C,SHA256=74A8FFF630BC2751B9CDB265D1E4959C57F6AC3BD1D7E2F0D869B49875ABAFAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:53.021{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE65F6BA548E0972E6EEC4AD7ED34EF,SHA256=DA2C4140FD2A8C97204285262D31889394B09F4711E2BD2CE4FFB4AF07AE048B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:53.084{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.639{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59792-false10.0.1.12-8000- 354300x8000000000000000150685066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.639{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59793-false10.0.1.12-8089- 23542300x8000000000000000150685065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:54.475{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434D0FE008DEEEBEF8741F553FD0F43F,SHA256=2D27F1D0A07943D7E5ACA2DAC0CD5B232632DFD6120049F955161F1F2B3E4A2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:54.115{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1C0258459E09D90F2C0D4677930C9B,SHA256=4BA3802BC12C4C942CF93D2005220F2AE323D97AC618243CA84B47702CEB8B08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:54.084{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118E850ABC3F93B5B32699F648C42F0A,SHA256=B4BDD76EF4E42DC06A018DA83CF9B93731660F98D5B3BBA54044C7F8807C9983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:54.084{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44005E89A4F1C3F4ED87C703D1A2645A,SHA256=4E567ED3E722FD7C1C7E6B2F51EEB4AF00086A86CE436698051F84AE87DD6980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:55.506{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D9C07EE38D9DC59E217EBCA8626C23,SHA256=27C25ACB2A1B704F5810E9CE004212CCBBC50F3ACE672DE3A57EFA3B9CB4A710,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:55.631{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=05CA3C28AA10D79361EDC4B48DD896E0,SHA256=C24229647531849D791F50BB6E91319BCF12FA8CFE7614DCF445B529498048DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:55.162{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB54098F035E68EAE31095CB88954C9,SHA256=B3500764015F501D35D8ADE89BCCAEB7C06622C437AACB3A868CAC08AAB26B2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:56.522{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F157AB7046A19C76E0D2271F80CC6613,SHA256=0442597D31F8C20EC1976F906382DF324D1010D384101716012A54D844097BD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:49.893{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54122-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:56.178{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48E2181C815A3AC72F87FD9D719DF46,SHA256=5BD16A805D4B447242E3A51488FBA8DC72C7EDD6D14F026D91A8DB800AA1D9A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:57.537{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95424F8739742317335FEB11C2D860DE,SHA256=A751F89C43E416D31627DD20EC2F71E2441F5AE7E9F6B7C557EC0AD91089CB5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:57.178{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFCA2BC7FC1F7D82D454DDC19D2B3AA,SHA256=9B7BF3979E0FBF392A183A29F1B3C5BFB7F3C34A45D1758AB005DF3BA9C001D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:58.584{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCDC5A3CC716D09316E5323AB3F402A,SHA256=B717163DAF5283FF0EFF7A40B48EA4299D25C58A8221483277937C826D10BE0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:58.193{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A2647E24FCCE6EB66AD5A691F1AE4A,SHA256=EE001F7D04E1ED68A16ED869747F9D4DF39A822E4B49FE602369C8D4D8269C33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:59.600{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BB4E9BD5B148D64BE7B944190B06B3,SHA256=6C45A90C7E6D61AE343A46350ACB693130B3E302A9A4FBC44F264F41AB580E12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:59.334{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C4C8A383A5EC0B2BAF9878565678A6,SHA256=2193D138CA45BEF851EE339D7D3F774DE7DD5F2C8D053B3776AB01A544E983F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:59.334{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83A775B51A6E39BCB9F8C9760734DD2F,SHA256=B31B82BEE8598E993C56D288DB8C6D2D443D5A08A59B90487C4DB59CF9FF8F5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:59.334{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118E850ABC3F93B5B32699F648C42F0A,SHA256=B4BDD76EF4E42DC06A018DA83CF9B93731660F98D5B3BBA54044C7F8807C9983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:00.616{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096155C0F15A363215EC961A3A259A7A,SHA256=295D038D39156194F04155E89979B4E9391103A0ED59F47B17296D534487234D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:00.349{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0642602D78D36E8941E2F406C2B697C9,SHA256=B24CCD407C35B008466CD6DE1B1690A83E4A6E37170E72148ECE2BDC357BD123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:41.811{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59794-false10.0.1.12-8000- 23542300x8000000000000000150685077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:01.631{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85EFDB85EF98B89DCE53686CA38C638,SHA256=4EE7F613301B308E04EAB9DB957F3192D206AF7C0CC20CF27484D6C4AAFDD11E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:01.474{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066393E9554E2A58B20F94FB5FB998F1,SHA256=D26B3E9FA7550824C893A215E1577CAF78246FF495D96CCE5C18E92FB5916672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150685093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150685085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.773{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.647{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613FB43D7798B26B2C65DD2CDB564334,SHA256=D7D4C212695215F569DAA9B68219D0AB51A0EF2681C8AAC42CD450F8975870CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:02.490{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB246120F492EA52923394BAD34AF56C,SHA256=A6135E203ED9199646E4257E7A2453E4D4706166F4FB0B42C05036715DF6EA97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.787{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83A775B51A6E39BCB9F8C9760734DD2F,SHA256=B31B82BEE8598E993C56D288DB8C6D2D443D5A08A59B90487C4DB59CF9FF8F5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.709{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFA86CE69591339084F7CC2989111D0,SHA256=C765599FBA7F2C1BBA4408A68C9E36138C716AD13AC5BF112168477A2E42C473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-BBAF-61F9-990D-02000000CF01}51724748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150685178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3616D995A96A499DEFFE39A6834291,SHA256=44C8B331DBCEAF45D642CEFA3BACB929E8D3AD85403D6493F4D100BF2369985C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-B70B-02000000CE01}37404732C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-B70B-02000000CE01}37404732C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.599{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.599{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.599{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-4B3A-61E8-2100-00000000CE01}1076856C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-4B3A-61E8-2100-00000000CE01}1076856C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000071087560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B