23542300x800000000000000071086878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:54.992{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A682F3AC61760F4D2EE41A43C9D6988,SHA256=82F8817241001BEEE9F0ED6CD0AA8DA2464746BE364BDC6E8C644C4ABE5FB535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:36.564{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59751-false10.0.1.12-8089- 23542300x8000000000000000150682514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:54.476{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807BF1E68787E4609D1822F526C3C514,SHA256=698F9622ADC57C6D963E90EC661A0D24A05FA4044D8069F80F8D58DA7EAB8FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:55.491{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BC4679F424FBEB1EBBA70246DE6846,SHA256=53BA630128F71663B7807D52C8FDCEC30CA16770C6C19B319D20725DD7847E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:55.617{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9EA065826948D16885E15277B1DED8F4,SHA256=B29388D02E26EE20C83DDC7E1296E1E3686398D329BD3A648AA29FFB67A292B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:47.786{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54085-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150682517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:56.491{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B9C0BC153A5892F8C16BEAC7657225,SHA256=7AF43117FE7ECB193E2F698E7560A333065E91D102A013224B9B28D65225979A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:56.007{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDF6AB09360CA3BDC8AFD4D00782A72,SHA256=CE9FDCA7C13338E9E060B9737FB5E7D27D00594AC432415619273633A7A945C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:57.507{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391F383E8A4A6AAFB42671145AA240D8,SHA256=683411226600081C738BD9EADD297B6C0CAE639B5584982C412B5028B163DDC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:57.007{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C49AC0315A443194EC3288836D271D,SHA256=41EF32C918E99DCD63A7943DA77F008210E7FE5E7C1ABBE98F70AB62DF1EA736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:58.554{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124E72EEB01E7CE426E763D8E1785119,SHA256=4E0C302D9790A692DDD82FD15120C8DFD438EFDC26BEBA9D7E05F0E1208C4D01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:58.038{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2AD6D483C2267A850EC0CE714B6870,SHA256=A45D1278E5BCCAC7ECBAEAF17D0EB3C70C238AB8AA78D9F0BA7CB383B6F97377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:41.783{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59752-false10.0.1.12-8000- 23542300x8000000000000000150682522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:59.616{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A204378791361043CD3A5B0AAA7B857B,SHA256=A4A10D9B6EEFFB1DC7FEE44B20250780463F4D588B87A3E2AE86B7599908E3C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:59.179{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0961AA65EEB98E64881F7DAFEDCA6866,SHA256=BF47CE3874D4BCEF5D135DE3D825010C1D4E2E84C32E6572D9C197EA79EC92F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:59.257{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=250DF5729F676CFA575555C18E47A550,SHA256=BB83FC8AD94DBC0AE27B841C7FFB3C333B1C78C37EBA39631A86E1B137F08103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:59.257{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=072B32D23385E93FDDF10CF9837571C0,SHA256=005BE75F20139BFA50DA0B362F40BED22806C214683FBDE5E4ECF7CA4E0396B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:00.632{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC13D91C50C95B68DC02C3C6D4C45CE,SHA256=F3C2836792028F6EB91C69E96DF882FD965D23D1B5FE088CABB60E25D9408534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:00.195{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54B53976BDBE45383E72F1637A32F92,SHA256=4A75BC6CBB3B162495C2F87521ACBA03C3B932603691081FEDE06AF96637813F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:52.880{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54086-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150682525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:01.648{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0746B3BBB30838D7C2A69267ED8F8C3,SHA256=BDD2C7FE2E8F87399B7FD4ACA516510BA3D7143FC64217CAFA88835B1BF961BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:01.414{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92018BB513B2BF8C4899EED97E8C039,SHA256=AFA46D707F1BD6939C7D011F24FB188A7D306BD6F3D6A202447476A75E8E7894,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:02.492{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901A1CF74AD37DE73AC11DAF4AFDB5B5,SHA256=8B8121870B887FE1351CF4172AF636B5FF6AA5FA98BB8F030138005A1757DB83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.929{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150682539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.913{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150682533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.898{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.883{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:02.679{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950FF5E623962176FF297168BC230A1B,SHA256=F5988519B42239C8768F0DC7AB56C60F9DAD0B14B7AD1A9C0E22CE6FAC69A7ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.898{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=250DF5729F676CFA575555C18E47A550,SHA256=BB83FC8AD94DBC0AE27B841C7FFB3C333B1C78C37EBA39631A86E1B137F08103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150682630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.819{3BF36828-BAFB-61F9-790D-02000000CF01}4228596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.819{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.819{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150682627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.788{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFF818819A913F6FCCAF5F0AD6A23FD,SHA256=FED48D52E546508871ED9EABD9D2A8BFA0CDEF3231FDDF2BAAA459BCC2325E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.757{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8081F924CDDE29B47EBC4BEC1531CC3,SHA256=21AF4DCEC7F3A65D1F975974ABE8E674393442051377E573B032BCC9BC253AFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:03.538{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B0C5242D0DCC6C4FA9207854940D1A,SHA256=48D72EE5FB560DEDB88336CFD3C6E49E0A1070972D20C3923CF476663F5F4514,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.632{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.616{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150682601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150682589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150682584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.601{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.586{3BF36828-BAFB-61F9-790D-02000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150682577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.163{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.163{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:03.163{3BF36828-BAFA-61F9-780D-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150682632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:04.804{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4756C2921964F3991F3734AC056EBB3E,SHA256=F0D8833171975372D9FEEEE36DFDC1FF130CC9D6043C736248491C034BD37A13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:04.601{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E145F0B565EE2D5B1596E6D4631B9731,SHA256=1F59214156A2CA45AF078CFB6738C1188C9AEDB02A7AE5A5BDDB8D2FB2B7FE7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:05.729{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7F18467AC41FFBFF5C1189A7BAD2BA,SHA256=9B8A743728B0AE042CE8A601C01383C60FDDF85D1A481141F4AE065DB5567FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:05.835{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4110E94D28F73BC01B089680198218C2,SHA256=081AEB1149FF744F06F0C757EE0798A2D0A3D8BC2DAFEDC8C0A8594165A8DE01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:05.116{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=154520200A1CCA483FE8F22A73DB262E,SHA256=5854B8BABEDC81070125A58187262FF69DD2121AC6FC798682E253F73E5C4149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:57:58.723{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54087-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150682636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:06.851{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EB9F6FAFCD0A81781EDF1F75E76A05,SHA256=EB42772B1594388E3F4AFC40C1DB6728283A00F20D3B67C9A174F04792A2D337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:06.731{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1370C74CB19E8D4152D1C8B48F42B09B,SHA256=DE366D26C006157256BCB7B20CBEB1DACB815134C4504EDD7E499DC0D25F67DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:47.673{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59753-false10.0.1.12-8000- 23542300x800000000000000071086894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:07.747{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193E06DC9604A94DAD00F90375BE4E7D,SHA256=B53D67E4BEE9C5CCD8493049DA25BE08FA3A14D0334752A49F1494B8A81EB040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:08.856{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2A0528C0AE939B87F39F51E58D8854,SHA256=47FF523FBABEEEE59F973341299FC62BF44B8229B81E9CCCB2D86AD22EC2EFE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.679{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.679{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.679{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.538{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150682680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150682657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150682655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150682654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150682653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150682652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150682649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150682644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.523{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.508{3BF36828-BB00-61F9-7A0D-02000000CF01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:08.054{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A923D959C755583125A25A69707DDC88,SHA256=49D77833C3DB7E53045BDCB61545B53F754F18D12B84CA6A10D331C23F24ECFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.919{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.904{B81B27B7-BB01-61F9-480D-02000000CE01}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.872{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9A6E5DEEB51805E3D45258B70E2024,SHA256=DD9CE779221AE586C26EAA9C40159FA945FE9003C9F9B488E1AD2845568E1CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.231{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.218{B81B27B7-BB01-61F9-470D-02000000CE01}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.866{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FACBDCB4E9A424F6A98EF3AB24D1F4D,SHA256=EAF35B22BD94A8314DE4CB6324059604FA7DDC287183C038B4AC699E27ED4AAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.851{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.835{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150682760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150682752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.819{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.805{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.601{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D002335E59141292B8FFA3740FC3B89,SHA256=6799F2915957D404FEFAEC7970805D9D424B6D0555271382AA393C01CB41BAA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150682743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}61122888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.382{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.210{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150682700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.194{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.182{3BF36828-BB01-61F9-7B0D-02000000CF01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.179{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1588AED72483E15E880407BCE8105E5F,SHA256=6780D1B4FCEBDD4AEBC8757FD90BDD59D8CD4B7F52FA14B84737AFB4C37A3BA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.919{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D3E860DCB3F368BC7E5B8185E4479C,SHA256=950D90D5D230C39F76EEF9A27362EFA9A9156F3803FBA3D0E6FD7F54AF6044D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.819{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDF93C6D79EABD76C98D6154938325D0,SHA256=E396C5C5DCCA347653DBB31FEDA2B898282BD3EEE11F1D21EE03841CB3DFE30C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150682849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}35485716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.679{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.523{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150682826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150682811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150682806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.507{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.492{3BF36828-BB02-61F9-7D0D-02000000CF01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.226{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D8EF85275D6C2A4009D2CD299CE5F5,SHA256=49993DE1083D0600A0432D7DF6843A23E2B36427312A31E4111A44AA8995B125,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.606{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.592{B81B27B7-BB02-61F9-490D-02000000CE01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071086916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:03.870{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54088-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071086915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.263{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C5D168E12C3D9D0ADBF869A33B7644F,SHA256=1BB29BA83DEC31B6F6757B0A56E0A3F66A234916E4DFE118344E76DD78957B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.263{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20D9B05C9F8692F669ADC913DDD3B687,SHA256=F8E75B2FB4C4814590ACFA32CEF84C4A9132F0BD4AE38D4A0098CE3F347C89F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:10.138{B81B27B7-BB01-61F9-480D-02000000CE01}20641548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.007{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150682797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.007{3BF36828-BB01-61F9-7C0D-02000000CF01}3836712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:10.007{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.991{3BF36828-BB01-61F9-7C0D-02000000CF01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071086927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:11.935{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7012E8927C03A441ED0AD709C69FD213,SHA256=8015C9EE6C2C4D56E06364BAC0C161A2FFD2CBB4D0B3047BB49A49D8DC0F6717,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:11.460{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCA320DAEE479D2B9FF0048301976B7,SHA256=32D3C3A8CD537E20A0B08B98E66E939A3D6750C709A66BF3AFE5F94566151716,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:11.653{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C5D168E12C3D9D0ADBF869A33B7644F,SHA256=1BB29BA83DEC31B6F6757B0A56E0A3F66A234916E4DFE118344E76DD78957B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:12.935{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7C093DDD3F218AC0F36FFA2E589B42,SHA256=BFF06CC9E4333E648017AFA4F6E3B514186D62DFD756FF742E06D68FE6DC2562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:12.476{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521DD6BE3B86F9AA39647EA5CEE2D0ED,SHA256=DB6A638AFB5919D764C540D8ABE40FE3ECB9BA4BE3848DF4EBAB6C3DA0B29C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:53.627{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59754-false10.0.1.12-8000- 23542300x800000000000000071086929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:13.935{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E010669F248B705CD4296A9C3FD1C77D,SHA256=1095D3C4DB55F7D01DBC1A7C56612BDA40139C72D2CF80B7DF4C07D0E3C319DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:13.491{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1695716B52625F6A344E1542F0D313DE,SHA256=C0E4A2C2150A4DA78565EFBD27CF851D1045F2FD83464A9036ECE4F88DD344A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:14.507{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF915ADA0FD26AEB265042D156A0D1E,SHA256=C86C053F4576E2A0343EECCDC8D96BE4DFA5F41954CC3E6EE3B5DB19563C9796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:15.538{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45538CEAC3B12555070D654D2EF2BAA,SHA256=5E5D63ED6F0D2C8B6C388DC564C9A4B2EB659C7AC89A6D75AA3752B6E496E55B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:15.153{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E5801F1E22A725E4163F6986ACC42A,SHA256=190FE7C529D9896BEA075ED5E8DA85B6E3B3A38621D33E41B6D1DDDEF53A5353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:16.539{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC91FE1C768B36E3B0690A06D3535222,SHA256=F786499A18D71698E5ADF34F413964DC399F8842483188AF5266C08D008EEC37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:16.154{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3C782874267F3949B5C291BF0BD158,SHA256=CF52F7AF923073BEC72C95A34F219277CBD0090E3C3C04BB2826520DC327C3BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:16.163{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E2D0E66F1D3E6A507532A1FCA288D2,SHA256=74E927611418295C202D45B9E35FDB6FEF704C34123044AD01B9426E32CC463C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:16.163{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A849887278B8AA8268DA48A7EC621D,SHA256=913660FAACEBA5852A101CC3D2F4908277EC6A771A9662877C89E19C51650077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150682913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.727{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150682912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.727{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150682911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.727{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150682910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150682909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150682908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150682907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150682906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150682905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150682904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.586{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150682903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150682902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150682901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150682900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150682899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150682898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150682897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150682896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150682895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150682894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150682893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150682892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150682891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150682890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150682889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150682888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150682887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150682886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150682885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150682884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150682883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150682882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150682881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150682880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150682879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150682878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150682877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150682876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150682874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150682872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150682871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150682870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150682869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150682864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.571{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150682863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.556{3BF36828-BB09-61F9-7E0D-02000000CF01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150682862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:17.555{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8133A6FB2EFCB695D520F69536BAE9FF,SHA256=080280EF2804D089368A2E5DB6711BEFECD5D825ED08E4E625A17CED9D419D5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:09.776{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54089-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071086932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:17.231{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF38E15F3E749A742BBE4E5A3F983AB3,SHA256=A46F253F573361AA39A633A1D08567F3F33B17DEF61F09E07C203CDD77517EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:57:58.689{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59755-false10.0.1.12-8000- 23542300x8000000000000000150682915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:18.883{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A635C2AC1BF064E826F30CE85067D5DD,SHA256=5A87CA286E84F1CC94D37AB29644450B2D0129064A4819A99F3F38C1CDBB0454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:18.571{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E2D0E66F1D3E6A507532A1FCA288D2,SHA256=74E927611418295C202D45B9E35FDB6FEF704C34123044AD01B9426E32CC463C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:18.247{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369BF7B2CBB3EA738912AB02CD40845E,SHA256=2D019F681074E34AE8CDDD32A9EF1FC691FDDEFCA65BFAC3114894E6A1688914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:19.664{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE81D16022C304EF943E92E7A8DFCDA,SHA256=30166FEF8C99378670333A0A77D72F6C34CA2046C034C14EEBB2E6F3E060CFB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:19.294{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6ED0E6E2802E99E02E76C23850821A,SHA256=C354FD69E704F274AA31EACF3028E7624D623E256490FE4C566222293020B968,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.997{B81B27B7-BB0C-61F9-4A0D-02000000CE01}41844656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.794{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.779{B81B27B7-BB0C-61F9-4A0D-02000000CE01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:20.310{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E891203967425B7EA70414DA28B451E0,SHA256=0586FFBDB093BD558C65B773568834F047CED6219E6F212CC378AC0CBE6A6293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:20.696{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1BE9B00A45C6C05F137A31726DC990,SHA256=CD20FE639CCA5C53C4D428EDEC95128CC1BD58F93BB427E49E7DD481BED50995,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:20.305{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CE4C651BE21B0EA92F6DC17A83489C44,SHA256=86A9CB2B1330F00247BF16E668C35D9C535300FBF43F88CE7F746A8705708292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.856{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747C13B142E9D9A29FEF77FF563C4814,SHA256=142519DC38376B0121D983CBEB877808D6C7ACD9359DEB8EA85668215DFD2CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.856{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=954D3EE946909E3E3E91AB7E5D791635,SHA256=93980D6C94FC5C430AED44C832E10CCC3E2CFB0A57439B3D66913021E642B1E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.685{B81B27B7-BB0D-61F9-4B0D-02000000CE01}42164204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.481{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.467{B81B27B7-BB0D-61F9-4B0D-02000000CE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:21.466{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E170249332516D076BD8478075816186,SHA256=A84D8CCAA717EC58B8A3DB6CA062BCAC04C530B9994ACEC14C32CAEEDD1F3ABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:21.743{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE87B95E26B52C187EDA9C1ADCAA846D,SHA256=579378360383AD2DAF3E8641891370BE3FD06BEA6C01815DCB1FFF476B77F003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:22.758{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB457E745548437E6776DE4A66CCCCB4,SHA256=BD8E1AF76491C344043975238B9574EEFE2F34B69E10162DE4780509EFE3177E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071086976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.856{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.841{B81B27B7-BB0E-61F9-4D0D-02000000CE01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071086968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.701{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7D939F7B13DE6B857AE53206190801,SHA256=211F40752044798C5B495803D921BE4D534B59B5AC5571F9FF2CD9A26E6AC93A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071086967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:14.807{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54090-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071086966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.419{B81B27B7-BB0E-61F9-4C0D-02000000CE01}50283844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.185{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071086959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.169{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071086958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:22.154{B81B27B7-BB0E-61F9-4C0D-02000000CE01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150682921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:04.721{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59756-false10.0.1.12-8000- 23542300x8000000000000000150682920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:22.180{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F52E2ED21653848069A683FCE893CE09,SHA256=E3A1D7FA60F2703755D2443788E60BD2E2AD893231A813CA26DA21C4CC2E0E55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:23.774{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7422E0664A3760FB6B6BC9F9FDA27EF8,SHA256=F1A44AD934AC5EE7701B60AC89AC06BB81B42D3CE3D396B4B68E93B5621AEABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:23.731{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B54E9AA785E94C95344879AC39F0E9,SHA256=A6E5FB027B11BFEA6859C28B9C32C06109EF24058F680D59768CF3E00819A572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:23.169{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747C13B142E9D9A29FEF77FF563C4814,SHA256=142519DC38376B0121D983CBEB877808D6C7ACD9359DEB8EA85668215DFD2CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:24.789{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54F11DC169045215DC94C620FA142AA,SHA256=19E3D52ABDC4C38F9DEEB7CF488A7DA03D6BD353C510BC4780BA254C2037861E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:24.778{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D83805074C2CD97791CEB046A5EB5F,SHA256=8585BF8A0057716C7F4339153D5C9AA701A084EBCCCBFCCB62FD0F51D6C77D34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:25.821{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69F37F1962FD5BFAE0BFF409E43703B,SHA256=587D446B34308218DAADDE349C0D8845E3BAD3BF9E03AA7C87BA8550679682DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071086980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:25.810{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597BB5EC2151294E251B3678A848E255,SHA256=898A9854ECF28BE4FA9E5887AE5880DFA08B2613BC1263BBED0E31FFDADDF135,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.888{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51F588A201DD4D6352896DDF75407DA,SHA256=3774906EB2AC382774BB88259E31F5F2E8071E0E796C5DB9969C29497E68BD43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:26.836{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9224756CD66406A520190FC2131798,SHA256=E882B2AAFB0B910EE940D7ACB5D47344694E0E27C937C27BEF2A10D5060749F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.747{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.716{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9560CBFB6C6DDD4F333446EEC44634,SHA256=B16C45D96B043D997FE2D6D0BF46764664C4B1DA516C0D09E932258D7DAE0415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-4B3A-61E8-2100-00000000CE01}10764576C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.685{B81B27B7-4B3A-61E8-2100-00000000CE01}10764576C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000071087020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.669{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.655{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8045004C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0D00-00000000CE01}8043524C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7364968C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071086987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37404872C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37404872C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071086982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x800000000000000071086981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:26.638{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000150682929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.852{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6FA47EAC8FFACCBB9009A67C9760CC,SHA256=97F2DA2698EF12720033C15C19BEA1177324A9E267328D37AE1F2971DF7567D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.907{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x800000000000000071087064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:19.838{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54091-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722788C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.810{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.794{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722656C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+f6ca|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000071087056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.778{B81B27B7-AED0-61F9-AE0B-02000000CE01}50722656C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+f61e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000071087055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.747{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.700{B81B27B7-4B3A-61E8-1400-00000000CE01}921796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}50723884C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}3740876C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}3740876C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:27.685{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150682928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.368{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82431A8B31343BE052039274B158CEA4,SHA256=559EF84D814E438BBC6DD36DE7063847F774E38A854DF66BAED24C0081E717AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.368{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22792713E6F9F17931D885B0994457F6,SHA256=0C65E2A1624B2A91E06EE893E3835B0F0277DB95071DA906E9EBAD3FA49BD1AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:28.883{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175286C8DFEC215ED5E47DFE5536329B,SHA256=AE95D694CE20FC81A0BF32FA001BDCE5D023DA1A8854C5EC7D286FF863079004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.923{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3BDC1CC0DE2B402FC039E5CA243DF1,SHA256=BE106CA53C16A0238138FE5762FF409A59E90A45159A479467F0C52FE1CCF3FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.439{B81B27B7-AED0-61F9-AF0B-02000000CE01}21362040C:\Windows\system32\sihost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B3A-61E8-2100-00000000CE01}10762436C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.376{B81B27B7-4B3A-61E8-2100-00000000CE01}10762436C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x800000000000000071087114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.220{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C1C27091B98EE5D09F33C6C321ECF3,SHA256=B8B9351E4B511F7B35D1A128C38065968EA5B3CA94A2DC8AABD358BB17C7B881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37404316C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}3740968C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.204{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.189{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150682930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:09.783{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59757-false10.0.1.12-8000- 10341000x800000000000000071087101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.189{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.157{B81B27B7-4B3A-61E8-1600-00000000CE01}11962840C:\Windows\system32\svchost.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.157{B81B27B7-4B3A-61E8-1600-00000000CE01}11961244C:\Windows\system32\svchost.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.157{B81B27B7-BB14-61F9-4F0D-02000000CE01}50205068C:\Windows\system32\conhost.exe{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.142{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}3740136C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}3740136C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-AED0-61F9-B70B-02000000CE01}37403860C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c97|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db 10341000x800000000000000071087086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.126{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.132{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\reed_schmidt\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000071087081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-AED0-61F9-B70B-02000000CE01}37403332C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.111{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000071087075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000071087074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000071087073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.095{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:28.079{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48418D6F5BCD5DE14149A391DE0B864,SHA256=194D1B882D9D1CCD39EE257D47A98B22E217AC8BF28B4B6FD93C971592842CA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:29.883{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AA979F7A5B1181131EB58E90C3BA04,SHA256=F00DFCE5DE226D3835995515A65ED23554F03C062BC460F84BA207CC0EE1D60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.939{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7C2D68D929CB9DCBA3C1B7CDBD1156,SHA256=03930FBF7A152E4160092F7DBF12B4C2A4E4E9D3A177AAA723D4E0A43622CAFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.361{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB116445473D8EE44C394D1E7D037AB,SHA256=8FBDB11B52D4FDE579ECFCA208C2D92C579432690AF93CCDE5AA8AAAE773AA4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.361{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D60727BFD1F03586148400CB22C68D7,SHA256=4A93022BCDED3FC771CB0C8E3D2AFC54504CC1F1FC0C117135E5FED7E9E99CBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:30.954{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BBBB0D3B12D70DC1541F65CABF688F,SHA256=76402102630E235D9F91505AFAD8459363039EA91D4906757C034301792BA1B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:30.946{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4460264FD458B83337DBC6A7050D4BE4,SHA256=20487BAD282D0EC30D32B4CB3FC73852F000D23C46973CACC75D064AC3A9825D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:31.970{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC01CFCE0442B2AC05EAEAA390496B06,SHA256=E34C4CB66B84B31F9D6EC461BAD85649C1FB2F5126B35D3B895A793FC5AEA6A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:31.977{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E85F2308CC63C49B90927C8C002A8D,SHA256=646D486218ADF55F56EAA9C718CB8BFD76638DF74DDBB3FE78CAE728464E7EB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:32.986{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B07537BD4EC8EAC11CBE1DF1CDA3A1,SHA256=3600E2BA71E4FD2AE257ED98F4F0EE1183D789A061550D332282D4CDA7F4F77C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:14.815{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59758-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150682936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:14.815{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59758-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150682935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:32.274{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82431A8B31343BE052039274B158CEA4,SHA256=559EF84D814E438BBC6DD36DE7063847F774E38A854DF66BAED24C0081E717AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:15.690{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59759-false10.0.1.12-8000- 23542300x8000000000000000150682938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:33.024{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923B8AE08A4DFDF78095D473A5FAE790,SHA256=332B8842D9059DD1F324D516E394E01EB5B451187E52A83A6E3129DE8C186838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.611{B81B27B7-AED0-61F9-AF0B-02000000CE01}21361832C:\Windows\system32\sihost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.439{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.329{B81B27B7-AED0-61F9-AF0B-02000000CE01}21362532C:\Windows\system32\sihost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.329{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.314{B81B27B7-4B3A-61E8-1600-00000000CE01}11962840C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.314{B81B27B7-4B3A-61E8-1600-00000000CE01}11961244C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.298{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.298{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.251{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.251{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.251{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:33.204{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x800000000000000071087133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:24.874{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54092-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:34.267{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB116445473D8EE44C394D1E7D037AB,SHA256=8FBDB11B52D4FDE579ECFCA208C2D92C579432690AF93CCDE5AA8AAAE773AA4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:34.017{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C887A343FC163DDEB50FF031A9A2F1FD,SHA256=2DDEC6CB23F8254438541934DDA0799523EAEA2395545E460745E76B988CBCA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:34.055{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417861362C134256C30521E25A64E556,SHA256=CF5955C844527067F0BE5E3FFA587B221B13D29E6CADDB7F697BEE569CFFAF7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:35.086{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AA6E68FCDAB436147177B46AE4869C,SHA256=8C86D7954CBC81F960BB7CD4B5D165100B7E3212313D2FB5D3D7FF9D96B1E3BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:35.064{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDF5AEE72AE1D6DDA3AF00BCAD7E9D5,SHA256=11EA366317FBE835F3989F9D3C053CBE0CB0F83BDA65EBA7DD4A5DA07ADAD91D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:36.133{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3AA999A313FFC6B83F22E279DBB0D0,SHA256=EE213B3F1B14FAF69303F5A52AF44152C24C9F0E5F6ED37B7B9E253D100122A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:36.126{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CE19E52690AD5C41C6704291296F14,SHA256=48533172ABE4E7325C3CA1D08B6A7302A2FDA4E7BFCE023B8C66DF368BF84FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:29.920{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54093-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:37.157{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B7BA0A25D8973D2061949AAF974D86,SHA256=684C9C9C20440D78A3CEF5CAA5C1CBE36EAEBABD2F63045D68A2D9F10C31E23D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:37.149{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2AB9059C4A24DCEB8F12F838229FDB,SHA256=DA7A81021AFCEF5EAF2A5ACFAE13953E678B63603AC1783DADD0F57A54D1A3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.893{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+17d743|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x800000000000000071087175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.893{B81B27B7-AED0-61F9-AF0B-02000000CE01}21361832C:\Windows\system32\sihost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.893{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7365060C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-BB19-61F9-500D-02000000CE01}1868C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.876{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000071087165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:38.173{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54FA7BB1952FACAF649DF0E0B138713,SHA256=BC80B43DF4D636562BFEFA7076C11E68E0E03BB827FADED1552E7EF447D549BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.149{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2EB0A6269D4718542A6CCA3DA572B0,SHA256=E20CE210008E0DF30D586EB9AB4603D616C9B0CBFF772DAA808107F1E2E0C775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:39.204{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16402D1CB5B7B5F5DE5EA922DAACAE2,SHA256=4D268795241B2D59A56023D6A12D17ED24DF6229C54A4F7DDEF3D8407DE986D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:21.721{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59760-false10.0.1.12-8000- 23542300x8000000000000000150682947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:39.196{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583486A226C790E0A990321824D0AED4,SHA256=D3F9284C19309A015FCBEA77DBD0615DD3C1A30B6C8F74A50AC9C3C2D9784BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:39.196{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63674D88C0AF490A4BDF12F516317956,SHA256=B2B17B1606ED2730DCCAE6E24E772D5746F77CC12170CF867E9FC7C2955884DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:39.164{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A5DA4CC00D78D33E10C56D8120CE6A,SHA256=6973FAD78B13300A93374A3678B5B6D48901F13209F98DD5494C29C3ECD1723F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:40.180{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE81D47F1DBDEFFB62C04BC746A0E89,SHA256=DA968869D028D4EFB5188DF2FE358D246EB1FDB575BF7870D0926105561C9684,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:40.220{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91135E8C21DF3DB3C2C27D4E9557FC60,SHA256=D8A33BE97B444E0C7E5ABAE0F86101E560F656525FD3331AD7663D3A03D100AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:41.236{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E6D5461AB84AA5858E0093C6CD520F,SHA256=85282056E19F6C7BED3B364AD163EE31676B347AE43EE6DF298386CCFF9363E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:41.211{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC379BBD040F740EF279B53B59EC7BF,SHA256=52EC1B2B9F721AEE3AC0A4715161C5F72A19292FCA144861EA4A33765E80E397,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:42.236{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45C9270ED854EA5FF0113F9207092EA,SHA256=018EF5B3DE5C4EDEF0F2E34AE4E4270FD800CF51143D4959F5E8F6795B2B7B3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:42.258{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEEBD13D1E25286F4EB6F820D6C1B39,SHA256=B2C47125C189E945C118D91ADBCEBB4B76475D32349F3520CE4CF278814777F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:35.733{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54094-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:43.251{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E47622096C6806FA69284874494AA8D,SHA256=4CFD06EFCF4A7FB726C858AA3A9FAD679C85EC6E30454938B51965F87C19A71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:43.289{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D5B444583A4A978525FC6D7F1D34E9,SHA256=2CFBED9000FEF020E8AA9E4B5BC45B38322243CCEC6B6F29B6F62A41690DFD7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:44.282{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB26CACBFA30192DC75E50D70EA45228,SHA256=546D033FB25ED52BC8718EE98F80EF5E119B9C141C69CFD4D3AD7DD866743B83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:44.291{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DC48D3FFAEFF0E906779C243144AE9,SHA256=47B947BDEE33E9551D3CAC0899B8E6372CE8FA7A4ECDE0E61858B35552F4B71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150682955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:44.181{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000150682954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:44.166{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x8000000000000000150682953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:44.166{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000071087184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:45.298{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E18C38DB58634146223BDC8039D1129,SHA256=BC733E2BA7702FB422C04458B97E287261C7C5FB35D6896916C78E0A2827C6FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:45.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B67F82CFFCF9CACA608ACF384594B4,SHA256=FE4108F83E032D7DB6D830BA1C66A027A09F6E5F3F52BF0EEB28530970FDB72C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.739{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59762-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000150682960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.739{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59762-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000150682959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.660{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59761-false10.0.1.12-8000- 23542300x8000000000000000150682958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:45.091{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032D8131BC08483160A2B762CDD6587B,SHA256=8E1B8AE1EE45074B757F085810E76187DEF9BC3EF2FEA5E534B9F18876FD7810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:45.091{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583486A226C790E0A990321824D0AED4,SHA256=D3F9284C19309A015FCBEA77DBD0615DD3C1A30B6C8F74A50AC9C3C2D9784BC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:46.392{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874A5CB92C9B8C6162711389FE7A7E06,SHA256=3D907FD8036BE2E906B76FB2D32B975AA0B06F864DE0AD08676403B5A97FBEA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:46.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322AF92843B527066353C6B155525E6F,SHA256=E030DEC3DFBD515B9EDAB380E3A7542EAA2F96D1CA366CB160E6DBD2B1020DF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:46.142{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150682966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.762{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59764-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150682965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.762{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59764-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150682964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.755{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59763-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150682963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:27.755{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59763-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000071087188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:47.454{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FA3CC53609A606806B4739D2D70A52,SHA256=2A4041F350B529594DAF35B0298C956F13AA2DDD804728F80970CEFBC2059C98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150682968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:47.311{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E06C3937B14511106B3B78942B505E,SHA256=F60AAA923E834AFE07AC46A701081D105581BC179327D92D856307AA52D8737B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:40.795{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54095-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071087190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:48.470{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5830BE8983C8A1D13788B5B81A18FAFD,SHA256=4874921936B2F307A9495799CBFAF42780E8B8EE06952F631B9CCF4716626D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150682975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150682974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150682973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000150682972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150682971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150682970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:48.981{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 23542300x8000000000000000150682969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:48.325{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315E67730CC03FC46C0339CA8285189C,SHA256=587BFBC21F94270EA19EEB592297BD2CB529859D8D5AF882A1BBBE33BDC2D946,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:40.858{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54096-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:49.704{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF860B281B642655DBEF36E9ED53FE4,SHA256=BE25110FCF4EC26A2127506E9E485971C850BC5A4C817513CFF36789E807A543,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.778{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=4849E9F93A0F34EC87F82E26049B47FD,SHA256=ADA89724741D0053E8322199764BDF5B39F7B94C0D973248D5FC7AF2F59C8590,IMPHASH=FA770D60A54EF20694B1F385EAA957B5trueMicrosoft WindowsValid 23542300x8000000000000000150683084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.388{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6681B258FC7F0BA4C688D4D9D68D3E,SHA256=EB16908C55CF32DCE6030FBA25A84B16AC67762D1360224D9213963A830D3491,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.356{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36DC8792B0D8D6C446070ED981B697E,SHA256=C4C053F2CD177B5B74CC6152BF500B909CA77A0FAE8FA5C7815ED3722806ED25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.247{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=29909D3B662A429603C439A25717C213,SHA256=1C83A5D03C17235C3249936859F101C2934B0A7D569553A0D97C97A332ABE1AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000150683042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.233{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.219{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 734700x8000000000000000150683039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000150683038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150683026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150683018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-DC57-61EA-584E-00000000CF01}10405080C:\Windows\system32\csrss.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150683017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.200{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exeC:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674trueMicrosoft WindowsValid 10341000x8000000000000000150683013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.177{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{3BF36828-4B39-61E8-0C00-00000000CF01}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000150683001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150682998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.185{3BF36828-DC58-61EA-5E4E-00000000CF01}12961028C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150682995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.201002-1707)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=C82536B6DCD3370E13D1D34D4A05F13F,SHA256=CD636DCC4516803B77C2CDFECF3A14ADF25F7A8B00F23F1D57A7BA7BD87663DF,IMPHASH=D7A4AD00167880B37A17C79825E9F4B4trueMicrosoft WindowsValid 10341000x8000000000000000150682994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.169{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.153{3BF36828-0669-61F8-11DA-01000000CF01}60685572C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.153{3BF36828-0669-61F8-11DA-01000000CF01}60685572C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.107{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150682982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.107{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000150682981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150682980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150682979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000150682978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000150682977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000150682976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:49.044{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 23542300x800000000000000071087192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:50.798{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC754444241EC2EF844A004A66C0836,SHA256=7C586A4100E6D3DBA930D236C523772E91D1D9B021AE340349EA72EB2A31A098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150683090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:32.772{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59765-false10.0.1.12-8000- 23542300x8000000000000000150683089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.357{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D40ED491AEA70F58A3A6E2F726795EB,SHA256=064F243E9EBA8B35C07EFB605A2A693D2FF6E7965CA6340BC1F40FFDE58404AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.060{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032D8131BC08483160A2B762CDD6587B,SHA256=8E1B8AE1EE45074B757F085810E76187DEF9BC3EF2FEA5E534B9F18876FD7810,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.028{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=66BEB7067473CCA520E98F673B03CC86,SHA256=D8846E9D2AD8C6958D4B1B00AA6705BA64FD32EB012CCCFAA8429E9C444D44B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:50.028{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=BACB02DD435925B85171158E64713109,SHA256=14A8B516E2086797E0D25DCD822BDCA4A05C2D8FCB597FBF679F8076AC36E6C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150683092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:33.482{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse72.43.121.44rrcs-72-43-121-44.nyc.biz.rr.com44952-false10.0.1.14win-dc-128.attackrange.local3389ms-wbt-server 23542300x8000000000000000150683091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:51.372{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72876A79336236B4D0CCCA002D32A49F,SHA256=0BD2308B9A83E5AADAD9C27F8ADD5E83273673D80F12078A3EBAED38977338E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:45.873{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54097-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:52.032{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E15CE4485A1709CFC7E991F8097B76,SHA256=2F0F03EA6DF0AD308A8865064F02F4CCA9BAA6191482A0E165E7877B308120EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exeMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3trueMicrosoft WindowsValid 734700x8000000000000000150683223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.981{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 10341000x8000000000000000150683221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 10341000x8000000000000000150683211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-810D-02000000CF01}25243744C:\Windows\system32\csrss.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-820D-02000000CF01}912308C:\Windows\system32\winlogon.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.971{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3895855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exewinlogon.exe 734700x8000000000000000150683204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150683203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\dwminit.dll10.0.14393.2273 (rs1_release_1.180427-1811)DWMInitMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMInit.DLLMD5=2F84B6415D918374A67E50BCE01C3CA2,SHA256=D6A64DE0BFDD504D9C57760F8847EEB3F637774D958BD9D52F000B66EB2AD9D2,IMPHASH=8A9252872C3861ED35BE90BB3A9E6429trueMicrosoft WindowsValid 10341000x8000000000000000150683202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.966{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000150683198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x8000000000000000150683195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.950{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\UXInit.dll10.0.14393.0 (rs1_release.160715-1616)Windows User Experience Session Initialization DllMicrosoft® Windows® Operating SystemMicrosoft CorporationUXINIT.DLLMD5=3803D95BBCB88A09B1F4043F77B0A52C,SHA256=C7B7522CA9BA3F683ADCFB20AE30533B34E4FC91BEDD283E93D0B733E6B97049,IMPHASH=ED2AB7D8E1273F7C87D4CE77B3E62340trueMicrosoft WindowsValid 734700x8000000000000000150683191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.935{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.935{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.888{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x8000000000000000150683183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.872{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150683178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.826{3BF36828-BB2C-61F9-810D-02000000CF01}25246028C:\Windows\system32\csrss.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000150683177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.826{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFBE502D1EAF6C2EEB6A4DFF5753CE43,SHA256=1AA77ACEC268E08E8591903CE3B3F5D0F2F68DF66689F2D86839E03A407F9567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.810{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062156A9AB92B129A13CCD04C73F1113,SHA256=E5F63DD0640899ED4B0557545DF3CAEB7EF0F8B884DD7AAC7B3B557D6298C837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150683175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Mouse0 13241300x8000000000000000150683172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Mouse0 13241300x8000000000000000150683169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Keyboard0 13241300x8000000000000000150683166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000150683164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:52.638{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session4Keyboard0 10341000x8000000000000000150683163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000150683159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.638{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150683151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000150683148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6DtrueMicrosoft WindowsValid 10341000x8000000000000000150683137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150683136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150683135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150683134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-800D-02000000CF01}52645240C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000150683133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.633{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c 10341000x8000000000000000150683132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B33-61E8-0200-00000000CF01}3204744C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150683131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\sxssrv.dll10.0.14393.3630 (rs1_release.200407-1730)Windows SxS Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationsxssrvMD5=6544F8B9914C8EF44FFD2965D6D6C4DE,SHA256=B9FB6A183039AD35C0BE6D0DEBCB4618E15CF17D385E4886ED457DA23B31AB8B,IMPHASH=00AF6EC553770FC264FB6B6AB7AF069AtrueMicrosoft WindowsValid 10341000x8000000000000000150683130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.622{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\winsrv.dll10.0.14393.3686 (rs1_release.200504-1524)Multi-User Windows Server DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsrv.dllMD5=7BD8CD73F08B93E856BA2F7E6E93F6D0,SHA256=994340D9BF1DBE04F33544DC8FC4B1F72695AD5054F3409AA5F26743070DE55B,IMPHASH=C8D1A6852C2C1ACB144F54DCE583FF51trueMicrosoft WindowsValid 734700x8000000000000000150683122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\basesrv.dll10.0.14393.2969 (rs1_release.190503-1820)Windows NT BASE API Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationbasesrvMD5=E57547B04ECB8873391616364E94B1FD,SHA256=6A17093974B9F90EC0C18208DD620E63656C86027B2C26EEB05F0606584AAFA2,IMPHASH=37B4D578B2264868FB6A98DD88658A34trueMicrosoft WindowsValid 10341000x8000000000000000150683121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\csrsrv.dll10.0.14393.187 (rs1_release_inmarket.160906-1818)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSrv.DLLMD5=F1E2170B311D75405C53DFDFBDB6DC01,SHA256=346BBAB08F552E1DDBAD73DDDFC667CE211410C06CDF84C85E12B7CFC579E7C8,IMPHASH=483DAC0149F3BEB9F4281D2B8414EB83trueMicrosoft WindowsValid 10341000x8000000000000000150683116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exeC:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.ExeMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6trueMicrosoft Windows PublisherValid 10341000x8000000000000000150683109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-800D-02000000CF01}52645240C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000150683108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.618{3BF36828-BB2C-61F9-810D-02000000CF01}2524C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c 10341000x8000000000000000150683107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B33-61E8-0200-00000000CF01}3204744C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150683097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exeMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724AtrueMicrosoft Windows PublisherValid 10341000x8000000000000000150683095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.606{3BF36828-4B33-61E8-0200-00000000CF01}3204416C:\Windows\System32\smss.exe{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000150683094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.594{3BF36828-BB2C-61F9-800D-02000000CF01}5264C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c C:\Windows\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e74SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{3BF36828-4B33-61E8-0200-00000000CF01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000150683093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.388{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67274C68DFD54ED5A902B2381B85E62D,SHA256=CBB51A2E46662CC2FCCE918F6CA484ADF8C432148A199AAFF8709B80C232DEA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:53.032{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583129FD41166BBB82F8596292FE20F5,SHA256=E1BCFC6A4859E3C87E166EAD92BADD4D50657B498E578A95C7BAD680C35BAE96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000150683626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 17141700x8000000000000000150683622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.981{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.903{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.903{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.825{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000150683573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.810{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 17141700x8000000000000000150683572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 22:58:53.810{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.810{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000150683570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.778{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96883078161E9D157FB59A17C2BD1705,SHA256=547ECC57D1C84E743FC56EFCBC5BB325699FED5C74389D757AB8D06783630396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-DC57-61EA-584E-00000000CF01}10403432C:\Windows\system32\csrss.exe{3BF36828-4B39-61E8-0C00-00000000CF01}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-DC57-61EA-584E-00000000CF01}10403432C:\Windows\system32\csrss.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x8000000000000000150683567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000150683564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x8000000000000000150683561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000150683560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000150683559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x8000000000000000150683558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000150683556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.731{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 10341000x8000000000000000150683555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.731{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000150683539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150683537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x8000000000000000150683536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x8000000000000000150683535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x8000000000000000150683534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.669{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 734700x8000000000000000150683533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.653{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\System32\svchost.exeC:\Windows\System32\pnpts.dll10.0.14393.0 (rs1_release.160715-1616)PlugPlay TroubleshooterMicrosoft® Windows® Operating SystemMicrosoft Corporationpnpts.dllMD5=FFA44FD7FEDA32632E8CE84AD0F9101B,SHA256=2A0746A7876C1A430F9C9A5BE4BE28CAA2FF4F73477651AE5CC74462278F333B,IMPHASH=2AF0358C9B643BA1C759C9C883F150F5trueMicrosoft WindowsValid 13241300x8000000000000000150683532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150683530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x8000000000000000150683529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000150683528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x8000000000000000150683527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteValue2022-02-01 22:58:53.591{3BF36828-4B33-61E8-0100-00000000CF01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 10341000x8000000000000000150683526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.544{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.544{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150683516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.528{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.513{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 10341000x8000000000000000150683502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.497{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.481{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\PhotoMetadataHandler.dll10.0.14393.4169 (rs1_release.210107-1130)Photo Metadata HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationPhotoMetadataHandler.dllMD5=6FB0850ABAD1E8FDD1F662FCF819262C,SHA256=3EFCA956A159AE40CE292607EC59E4D258BDE13EAB51AFEF270FE55154CFA26E,IMPHASH=C204FCA51D1E4DDB2A7903D799C90765trueMicrosoft WindowsValid 734700x8000000000000000150683497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.481{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000150683496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.466{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\FontGlyphAnimator.dll10.0.14393.4169 (rs1_release.210107-1130)Font Glyph AnimatorMicrosoft® Windows® Operating SystemMicrosoft CorporationFontGlyphAnimator.dllMD5=3179BAF869C1815F2A39438DD5EFD620,SHA256=7A89DD1B6F0DCF16AF14A03EA04718DAAD8FE01E97C61933BD81E6371251AA31,IMPHASH=50CFAE7BE5DDFAF9B3957BA4D337BEADtrueMicrosoft WindowsValid 734700x8000000000000000150683495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.450{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 734700x8000000000000000150683494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.450{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.450{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 23542300x8000000000000000150683492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.403{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07B5FF2147DAE2EE646357BC543F09,SHA256=400296849D7109A8CA2F49EB1C8D6FD942DDB0BC162FEC163A3AA3A65170DD82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.325{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.278{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881E4D430632AEB174BFDB565EF65242,SHA256=7ADCEC31B37FC42A495FE4A2BF9F3EF8EC6E2D492CCAC482C4B84503DB86FC95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\threadpoolwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows WinRT ThreadpoolMicrosoft® Windows® Operating SystemMicrosoft Corporationthreadpoolwinrt.dllMD5=4D271D6FA08E19B78A99F948FB012F44,SHA256=92D9A5BC0F95FDE6BA83D17925122815BDF3803D949112852C3D97CFBA16D219,IMPHASH=0E03F54121A53AD6BC839C0721A3CECCtrueMicrosoft WindowsValid 10341000x8000000000000000150683481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x8000000000000000150683470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0F00-00000000CF01}1005056C:\Windows\System32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 10341000x8000000000000000150683468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.247{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\IDStore.dll10.0.14393.4169 (rs1_release.210107-1130)Identity StoreMicrosoft® Windows® Operating SystemMicrosoft CorporationIdStore.dllMD5=C361C32146F8C2E67168CFC076DBBF55,SHA256=D27DC85DE98B5C85AAAEEE1FC2EBE0F92B53F82F35F0AC6A49ADAE83456C0740,IMPHASH=E5FDBED6A52D2B5010634A77EC08AD4DtrueMicrosoft WindowsValid 18141800x8000000000000000150683463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.247{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 23542300x8000000000000000150683462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.231{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAED08E1835327F08FAD292D17B70C3,SHA256=0B88A584CD25EFF8620FCCE100A8C6ECFF61E5C47EDA216E1B27E01C3E62E9FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x8000000000000000150683460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfsensorgroup.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Sensor Group DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfsensorgroup.dllMD5=7CB78A0BF4D6AEA6A4C367DFC7645CD0,SHA256=5504F29CAE19AF9A98D65508A350F518AEA1C66235029B1881CA765146E92D99,IMPHASH=86C22AEFE3E4067CC0F34A1D80C38807trueMicrosoft WindowsValid 734700x8000000000000000150683459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x8000000000000000150683458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Media.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Media Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Media.dllMD5=28B4EDF53317E0FFA2452AEEC47C4183,SHA256=849608262794A5270B0A22A7412B77C2826E807DC6EA932E5D08451ADDB6078A,IMPHASH=88691B5201F0FCC6E05D2593797A195AtrueMicrosoft WindowsValid 734700x8000000000000000150683457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.216{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=CCDEFAE1F31F9F9AED64686A143D3D0A,SHA256=CF96EB0C3422628398D218152A729221C0F5D09F287E083AE88ECD77DB2C11BC,IMPHASH=B96B407351B4F23871E4087C6E937148trueMicrosoft WindowsValid 734700x8000000000000000150683456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\samlib.dll10.0.14393.0 (rs1_release.160715-1616)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=4C413FEDB1B88DA18059890CE0BC95D1,SHA256=FAD279CE82D1616A533D6E5D3A20543B51FDBDDE4C764E09F6A01C8B0E44218A,IMPHASH=BF11630905AADA27934CD5411323FA5BtrueMicrosoft WindowsValid 734700x8000000000000000150683455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\shacct.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Shell Accounts ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacct.dllMD5=6C3405DC9DB5740B6B2AD3AF67031A2E,SHA256=223153AF2A71D3549CCE25D3EAA294DD44471EA8A0733E5AC1EFD7D99D03886E,IMPHASH=F9EDABA9B540C273AC125BA9D119C3AAtrueMicrosoft WindowsValid 10341000x8000000000000000150683454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0F00-00000000CF01}1005056C:\Windows\System32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\rtutils.dll10.0.14393.3930 (rs1_release.200901-1914)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=7F8BC94C915BD52D3422C5AD11389CEF,SHA256=68012DC490FEB77A313007FB1C3EC3F158A5C339AE620DC869B192EDAAED545B,IMPHASH=C5AA2478104DB535756B980DF0497145trueMicrosoft WindowsValid 734700x8000000000000000150683446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\rasplap.dll10.0.14393.4283 (rs1_release.210303-1802)RAS PLAP Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationRasCredProvMD5=3F09354D09FC8331BB5F8B1D1ECB4503,SHA256=EA48272DF75B81FC14CFCF7CF2FA11E3CE921E18FD5B1FC475C1231C3CBD520F,IMPHASH=7EB175244ACD110A7447F926DD91F627trueMicrosoft WindowsValid 734700x8000000000000000150683445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\wlidcredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Account Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationWlidCredProvider.dllMD5=BFDFA8D6CE74D72FC3CAC3E8B6D05FB7,SHA256=172538FF3768FA97A54D4B33B7E3253F568013DF9F8102E023DEFF4CA44B2BBC,IMPHASH=AC43D6C08681C0DFDC982DCBAA555A68trueMicrosoft WindowsValid 734700x8000000000000000150683444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\certCredProvider.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cert Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCredprovider.dllMD5=5C5920708E3A7386E3FB97F06A1CF6CD,SHA256=2CEBA7FEC4C2DA3384BE80CB70C5AF04F45727BDA3DEF9A79F478B071AB9FC0C,IMPHASH=A01F108876C25B588A60F1407EC75717trueMicrosoft WindowsValid 734700x8000000000000000150683443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 734700x8000000000000000150683442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngckeyenum.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Passport Key Enumeration ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationngckeyenum.dllMD5=ACF9A79DE065065D9B9F3C060D8FD883,SHA256=72A663ED47F6354E1EF19D6E5D4BC1118B8BF699B9E112E89BBE8DC8B9D83187,IMPHASH=7408E186279579FBFF9DD5099C815B63trueMicrosoft WindowsValid 10341000x8000000000000000150683441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-4B39-61E8-1200-00000000CF01}4121620C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\BioCredProv.dll10.0.14393.4169 (rs1_release.210107-1130)WinBio Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationBioCredProv.dllMD5=73F8BD8ED7C88C247AE1F8931FE84024,SHA256=50102694895A05D4554A54C775A033664DF7B9E51347F918E2A2FEF2F2B747C0,IMPHASH=01D3BF39F15617F2002037CAEC4CA502trueMicrosoft WindowsValid 734700x8000000000000000150683436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.4169 (rs1_release.210107-1130)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=330E02FA330C93B93B477AA2F88C8A3A,SHA256=958A6977B820D04D94C8FD85C23CC62D77F0498BB59A648744E8F43704FD7F26,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 734700x8000000000000000150683435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.200{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x8000000000000000150683434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x8000000000000000150683433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngccredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Passport Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationngccredprov.dllMD5=5125FB8AD27095A89651EFE26DF82B8F,SHA256=B49A3E4B223B5737ABB834DA077E2F525B8D5A4E7A226134AD23B19BD20DA5B5,IMPHASH=BD5237271CB2F0AA3004D8AC0791F836trueMicrosoft WindowsValid 734700x8000000000000000150683432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1F,IMPHASH=518BBC26E9BA87459E80712401FEE077trueMicrosoft WindowsValid 734700x8000000000000000150683431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\deviceassociation.dll10.0.14393.0 (rs1_release.160715-1616)Device Association Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdeviceassociation.dllMD5=68139108F7E1D4327BE76289E14C2159,SHA256=05436A7EE5EE877F3EA6B12604D41EFCE288F093AAEE03A906FB7C9A4A76DFDA,IMPHASH=CA757A840D91610BF593E8A2814EB9B3trueMicrosoft WindowsValid 734700x8000000000000000150683430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Devices.Enumeration.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Devices.EnumerationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Devices.Enumeration.dllMD5=4C62915A0F4A5D426D857C5DEC342AE9,SHA256=371A5B33833D0433F525EF0A0E61B7EFE5F91142F814241AB291C178B055BCB3,IMPHASH=19CB1EC42DBF9C106DE4DE251E31017EtrueMicrosoft WindowsValid 734700x8000000000000000150683429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\facecredentialprovider.dll10.0.14393.4169 (rs1_release.210107-1130)Face Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationFaceCredentialProvider.dllMD5=75568151502F3012E5A0B28D53517B21,SHA256=6CD897692F27AF5291034213CFA48CF0A0517C33A5A23ED270F12DDE98FB32D9,IMPHASH=A57735F3674892C8A813AC842EA6CFAFtrueMicrosoft WindowsValid 734700x8000000000000000150683428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\cngcredui.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft CNG CredUI ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcngcredui.dllMD5=FE84C1709B761FFCFA7F4340FA451A65,SHA256=329D2D141C9C0ECC68C12E8B68D0413C396F47C83C85621A410773D8BB1A494C,IMPHASH=9AEED300060E76958D7D2ED9F8BF8EDFtrueMicrosoft WindowsValid 734700x8000000000000000150683427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150683426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovs.dll10.0.14393.4169 (rs1_release.210107-1130)Credential ProvidersMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovs.dllMD5=913EF3B2F5DF7C749774F6FF3B054C11,SHA256=4E3F665593865080E37EA4F3108102FD222C2DECE3841F178EAF29A9CCB59C2C,IMPHASH=4D8C135A6C32D5E52CB9D0ED6F5E66D4trueMicrosoft WindowsValid 734700x8000000000000000150683425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovslegacy.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Providers LegacyMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovslegacy.dllMD5=C54FE5EE50B5B797FFCFCC1B00A0076C,SHA256=2676BC00EB97E8BC4F3052EF09106DA33FA33CECC66D179164B3B2FE9DEFD9F6,IMPHASH=350AE9643284403B93B04574B73914E7trueMicrosoft WindowsValid 734700x8000000000000000150683424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x8000000000000000150683423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\SmartcardCredentialProvider.dll10.0.14393.2248 (rs1_release.180427-1804)Windows Smartcard Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationSmartcardCredentialProvider.dllMD5=89F3FE0276D7A31BA02AC3366F964FEE,SHA256=EE1AC8484F240304375600A1B95B64670D660EEC8E3D9F49D7782505D38E28B2,IMPHASH=634A0E8BBEC2A27265F521A876EDBBDAtrueMicrosoft WindowsValid 734700x8000000000000000150683422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159A,IMPHASH=D9F27AFFC8B05CE56A2B9B9CD5B4C9B5trueMicrosoft WindowsValid 734700x8000000000000000150683421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000150683420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150683419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150683418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.185{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x8000000000000000150683417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovhost.dll10.0.14393.4402 (rs1_release.210426-1725)Credential Provider Framework HostMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovhost.dllMD5=D64A4C4E4CDB8DD6128D4EFAC4118353,SHA256=A503771EBD077D5C5C2EFF2499E074A8B05099A59D68E7668F403EB6DC4A902A,IMPHASH=2B8D4C5C44B72C4C63973FFAB9046281trueMicrosoft WindowsValid 734700x8000000000000000150683416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\CredProvDataModel.dll10.0.14393.4169 (rs1_release.210107-1130)Cred Prov Data ModelMicrosoft® Windows® Operating SystemMicrosoft CorporationCredProvDataModel.dllMD5=6B8B71ABE125771FEE8A44D0F941CEF3,SHA256=1C7C0865C8BD4CD12867432AC71144923344F596EFA2D7C42DD9EF37F508F519,IMPHASH=E95B43892FF230687F925F53516FD6F3trueMicrosoft WindowsValid 734700x8000000000000000150683415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150683414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\InputSwitch.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Input SwitcherMicrosoft® Windows® Operating SystemMicrosoft CorporationInputSwitch.dllMD5=2B36BB851BC67134276AF104374E1AE7,SHA256=5BBE3DAB8CC51D7979C85F6794AC87EC01033B10381C9975BB82EFDD130C71F8,IMPHASH=9FA3243ACAFF711089EA1F97D1240A36trueMicrosoft WindowsValid 10341000x8000000000000000150683413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.169{3BF36828-4B39-61E8-0F00-00000000CF01}100908C:\Windows\System32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5ACE3BC42233A8D71630252C8C2B4,SHA256=41593984D5A671359A5F4F9E6ABB1ECF99A94B952575CFA8C06DC2597540F4DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x8000000000000000150683411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 17141700x8000000000000000150683407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.153{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 734700x8000000000000000150683383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.138{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000150683382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x8000000000000000150683381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000150683380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150683379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150683378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x8000000000000000150683377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x8000000000000000150683376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x8000000000000000150683375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000150683374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.122{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\rdsdwmdr.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Remote Desktop Services Desktop Composition ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationrdsdwmdr.dllMD5=8AB1C043AEA9B8E3E69F66FA2D6D0902,SHA256=6405F183B338D172526735F3C68A22E6D927EF62EF2B8D184E8702525B08C529,IMPHASH=C6DD7624FA229BF9070263DE7139C105trueMicrosoft WindowsValid 734700x8000000000000000150683373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 10341000x8000000000000000150683372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.106{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x8000000000000000150683369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000150683366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\Windows.Gaming.Input.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Gaming Input APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Gaming.Input.dllMD5=6947CE1BEE28DA84EF0F9A9CCAC220D9,SHA256=5350654F9C04864F2A364C368348C1799DB7A949286AD946726D0A3583942386,IMPHASH=AA9A60973CD4BBAFA67132CB2D843B41trueMicrosoft WindowsValid 734700x8000000000000000150683364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150683363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150683362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x8000000000000000150683361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\UIAnimation.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Animation ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAnimation.DLLMD5=7F8B0CD5AB8C3E677B98400A2E7C3A75,SHA256=D49C09FBF9BD077A81CB9DA8DE09D2EB1835BCF5F0153373DCE6B484A0F64227,IMPHASH=BC9606EA9B100715129576DB5908D6A8trueMicrosoft WindowsValid 734700x8000000000000000150683360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x8000000000000000150683359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000150683358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150683357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8,IMPHASH=F266C00A61E480BB0A81B1A89DB30014trueMicrosoft WindowsValid 734700x8000000000000000150683356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x8000000000000000150683355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000150683354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x8000000000000000150683353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150683352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150683351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150683350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 23542300x8000000000000000150683349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CF9B133471FF88A72C8148F97F97D92C,SHA256=62E72B2C73643D21E1DFFBF83EEEC36F328AE79184FEABDBD7EC47C40EFAF81F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E34BB13381DA640BB0CF88BF492FDA9,SHA256=7591155344CE23BB917282F6533420BB845FDA346C69FF3BAB764EB52F449C3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1815FBEEA7C49E1C5B4E1C5673AE2CFC,SHA256=A9A9018768FF87617F0BDFBA06DB44AC76A842F6E460A42F520B9A8731E69513,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000150683344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000150683342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 734700x8000000000000000150683341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.060{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ism32k.dll-----MD5=2D64FFE4D9D69749DAE22929EAF7C0E3,SHA256=DE4B60F73BE4265C83E68C80B984F5B06B69DB281E4F1365DBBAFB9D9366D9B1,IMPHASH=5EAAB1EA34F06850795E43CC80F7A946trueMicrosoft WindowsValid 734700x8000000000000000150683339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000150683338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 734700x8000000000000000150683337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 10341000x8000000000000000150683336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150683333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmghost.dll10.0.14393.0 (rs1_release.160715-1616)DWMGhostMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMGhost.DLLMD5=E90480135CCF153367927193360E1704,SHA256=1E38DCCFBB4E3F7A97ACF9B8F35A27EDA314779E17951B62915BFEF2C4FE1905,IMPHASH=E6DA3EBF6A2D12D95C9048E332A1FCA4trueMicrosoft WindowsValid 10341000x8000000000000000150683332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.044{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000150683324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x8000000000000000150683323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 10341000x8000000000000000150683322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Xaml.dll10.0.14393.4402 (rs1_release.210426-1725)Windows.UI.Xaml dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Xaml.dllMD5=D3AABF7BF9CFBD51194C622C0A6A7D78,SHA256=86F89179208C22EE22AD51820FCE323D0F1EF160F7ABB6EE8AB6F858AB4CDDD9,IMPHASH=B872FEAB4926DE1D74C3DF5AC4E62C2CtrueMicrosoft WindowsValid 734700x8000000000000000150683320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836E,IMPHASH=BD8E5A2DF0B988B5F76A40E2D1BEBF97trueMicrosoft WindowsValid 734700x8000000000000000150683319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDC,IMPHASH=AB0E9B104017117F7BE18F3C6AAC279AtrueMicrosoft WindowsValid 734700x8000000000000000150683318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x8000000000000000150683317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Winlangdb.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Bcp47 Language DatabaseMicrosoft® Windows® Operating SystemMicrosoft CorporationWinlangdb.dllMD5=50E4D5039A8CDC4A6B540FCA4584CDBD,SHA256=AEF4A7FDBF3D97CAA5750A3779246AF5E562176179153B356689A0E3FC5BB444,IMPHASH=E258085E2BBA36D50AAE0D0E18AC11EAtrueMicrosoft WindowsValid 734700x8000000000000000150683316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x8000000000000000150683312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x8000000000000000150683309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000150683308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 10341000x8000000000000000150683306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmcore.dll10.0.14393.3297 (rs1_release_1.191001-1045)Microsoft DWM Core LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationdwmcoreMD5=03C407A9E53E7F5B008408EE7DD98C49,SHA256=128569219AE53C10BBF6630E2CEF5CAEE94EEE53D149EAB67B8FE527C77C73F5,IMPHASH=3574E7EBEB7B8AD883019C49AAEB6220trueMicrosoft WindowsValid 734700x8000000000000000150683303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150683301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwmredir.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Desktop Window Manager Redirection ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmredir.dllMD5=05B2A35A72410F77A402FA5B76CF2086,SHA256=13F6D45C49526D75A2E781E59E0C73DF7774579BEF684782B5A283926F8D390E,IMPHASH=EB1A8B672979894B61A21251DA6441A6trueMicrosoft WindowsValid 734700x8000000000000000150683298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\uDWM.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationudwm.dllMD5=92156F4F346EEF68A638B377310E5A44,SHA256=1ACA1754494BC261C5AE9891F3CDFE9A9060D1F882858B9087E6365C9572D360,IMPHASH=4454B28575E3D261B0B850E37D02A98DtrueMicrosoft WindowsValid 734700x8000000000000000150683297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.XamlHost.dll10.0.14393.4169 (rs1_release.210107-1130)XAML HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.XamlHost.dllMD5=3EF300C64E57C482FEC2A62454CC45BC,SHA256=CED0EEE32D019EAF1BE70190B87FA9858054DEE20DE77EF0BDC67C2B8B0DD669,IMPHASH=76C7A23349305BC2F339502E1330DC92trueMicrosoft WindowsValid 734700x8000000000000000150683296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000150683295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x8000000000000000150683292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x8000000000000000150683288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.028{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000150683286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exeMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542trueMicrosoft WindowsValid 734700x8000000000000000150683282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150683281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000150683280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000150683279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000150683276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x8000000000000000150683274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630,IMPHASH=7118E177B350BBAD51DE9533CF52B852trueMicrosoft WindowsValid 10341000x8000000000000000150683272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Logon.dll10.0.14393.4402 (rs1_release.210426-1725)Logon User ExperienceMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Logon.dllMD5=30C95AED65FA45F9EFF52E3C530C63D6,SHA256=9E8EE30967269AC252D9DA33E45DFCE540676F5A6E730B88FE843E48EBE49457,IMPHASH=54FBE131063E4D40AC82419379C61133trueMicrosoft WindowsValid 10341000x8000000000000000150683268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-810D-02000000CF01}25243744C:\Windows\system32\csrss.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-820D-02000000CF01}9124188C:\Windows\system32\winlogon.exe{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.021{3BF36828-BB2D-61F9-840D-02000000CF01}6072C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-4{3BF36828-BB2C-61F9-2E3E-501300000000}0x13503e2e4SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\System32\winlogon.exewinlogon.exe 734700x8000000000000000150683263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x8000000000000000150683262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}21405896C:\Windows\system32\LogonUI.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210,IMPHASH=BC4A2B9355432144727A5322381AB386trueMicrosoft WindowsValid 734700x8000000000000000150683257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000150683256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.013{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000150683255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885,IMPHASH=70AAA0F56F084D1AE09EB5CD51B268ECtrueMicrosoft WindowsValid 734700x8000000000000000150683254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000150683253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000150683248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonController.dll10.0.14393.4169 (rs1_release.210107-1130)Logon UX ControllerMicrosoft® Windows® Operating SystemMicrosoft CorporationLogonController.dllMD5=EEFFA85317E0C7483D747B7C0F20ED38,SHA256=6DC57621059816648A4D438874A29C3F697A86EFC8B04E2945F2C74733DB28A5,IMPHASH=B3F665DED064F7C7E844A2E67FA0267DtrueMicrosoft WindowsValid 734700x8000000000000000150683244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000150683243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:52.997{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.747{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6,IMPHASH=82DF5355ECE040AB2EB1CF3A3223A564trueMicrosoft WindowsValid 13241300x8000000000000000150683978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1122SetValue2022-02-01 22:58:54.731{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{1F9C7E02-00BB-493E-BA1E-1DCA09472A6F}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x8000000000000000150683977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1122SetValue2022-02-01 22:58:54.731{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeHKCR\CLSID\{1F9C7E02-00BB-493E-BA1E-1DCA09472A6F}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 23542300x8000000000000000150683976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BEA7084C4957941FB080DA80A11267,SHA256=5D4B0A25E161A7F5F35C8807F928B8FBF513452DD408933139450861553C5D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:54.079{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1753EB1158E4F13FEBE8DEC7D0EC727,SHA256=FC5A55BDB05411FE29D836D822BD632CFACCC61C546A2F3F2DA0DA3384E76555,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.403{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.403{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.403{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150683972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:36.585{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59766-false10.0.1.12-8089- 10341000x8000000000000000150683971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.310{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D29BFF61C20B7DAEE1B98D2E5CECBF,SHA256=0360FFDA5733DC509DECBDC7FC50C58F22484C5042848AAFD3C97F0ED0582F66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000150683968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000150683967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 734700x8000000000000000150683966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.263{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000150683965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150683963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\TaskSchdPS.dll10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Interfaces ProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationTaskSchdPS.dllMD5=2C64E139BAC3F2852567622F77B02C50,SHA256=EA9ED3B6173722EA707EDCFD7276E036E56F957B85822B727986BCD6F7FACD5C,IMPHASH=83D2415AAD098FF1BBFF89F44AF25EC5trueMicrosoft WindowsValid 734700x8000000000000000150683961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150683953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150683948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150683946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.247{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000150683936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.231{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E5DED05427368A48371FE3F7821A71,SHA256=17819FAD6A7E9FDDAB24EE701686F0999219D4D6D196BF632AB742DDD35B2FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150683933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\TaskSchdPS.dll10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Interfaces ProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationTaskSchdPS.dllMD5=2C64E139BAC3F2852567622F77B02C50,SHA256=EA9ED3B6173722EA707EDCFD7276E036E56F957B85822B727986BCD6F7FACD5C,IMPHASH=83D2415AAD098FF1BBFF89F44AF25EC5trueMicrosoft WindowsValid 734700x8000000000000000150683932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150683924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150683923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.216{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 18141800x8000000000000000150683916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150683914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150683913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000150683911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150683904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-BB2E-61F9-870D-02000000CF01}2792C:\Windows\System32\taskhostw.exeC:\Windows\System32\taskhostw.exe10.0.14393.3297 (rs1_release_1.191001-1045)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exeMD5=B5D41CD8E27C26DA82B11B277D233B04,SHA256=1876990EEBC99F0B0F66BEC435FE2810E450532E23E22427DA31A09802394461,IMPHASH=1CCD2E7A159E4500473733FB9D75028BtrueMicrosoft WindowsValid 10341000x8000000000000000150683902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.200{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32FE2A8F2D80ADE657568293622E58F,SHA256=00EF17E126C3412DEDBBFD2EADC5F3F94FEEE8B4E3524B4818F12CC19F3FAE38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.185{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.185{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.185{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 10341000x8000000000000000150683892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.169{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-ADC3-61F9-EF0B-02000000CF01}864C:\Tools\x64\mimikatz.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D7CB-00000000CF01}4688C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D6CB-00000000CF01}3860C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-614E-00000000CF01}5988C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4BC4-61E8-8400-00000000CF01}4780C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B5D-61E8-7600-00000000CF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-4200-00000000CF01}3736C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3E00-00000000CF01}3632C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3D00-00000000CF01}3608C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3600-00000000CF01}3444C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4A-61E8-3200-00000000CF01}1116C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3100-00000000CF01}2444C:\Windows\system32\inetsrv\inetinfo.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3000-00000000CF01}2408C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2F00-00000000CF01}2052C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2C00-00000000CF01}3020C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2900-00000000CF01}2980C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2600-00000000CF01}2832C:\Windows\system32\ocspsvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2400-00000000CF01}2816C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2300-00000000CF01}2808C:\Windows\system32\certsrv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B43-61E8-2000-00000000CF01}2568C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1D00-00000000CF01}2104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1300-00000000CF01}352C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1200-00000000CF01}412C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1000-00000000CF01}356C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0E00-00000000CF01}996C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB29-61F9-7F0D-02000000CF01}6104C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-ADC3-61F9-EF0B-02000000CF01}864C:\Tools\x64\mimikatz.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D7CB-00000000CF01}4688C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0828-61EF-D6CB-00000000CF01}3860C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-614E-00000000CF01}5988C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-5B4E-00000000CF01}4144C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4BC4-61E8-8400-00000000CF01}4780C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B5D-61E8-7600-00000000CF01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-4200-00000000CF01}3736C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3E00-00000000CF01}3632C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3D00-00000000CF01}3608C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4B-61E8-3600-00000000CF01}3444C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B4A-61E8-3200-00000000CF01}1116C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3100-00000000CF01}2444C:\Windows\system32\inetsrv\inetinfo.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-3000-00000000CF01}2408C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2F00-00000000CF01}2052C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2C00-00000000CF01}3020C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2900-00000000CF01}2980C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2600-00000000CF01}2832C:\Windows\system32\ocspsvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2400-00000000CF01}2816C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2300-00000000CF01}2808C:\Windows\system32\certsrv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2200-00000000CF01}2720C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B43-61E8-2000-00000000CF01}2568C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1D00-00000000CF01}2104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1700-00000000CF01}1424C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1300-00000000CF01}352C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1200-00000000CF01}412C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1000-00000000CF01}356C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0E00-00000000CF01}996C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.153{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B3A-61E8-1600-00000000CF01}13002728C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3A1DD2E89E4B8DF1D70593A9900A8D,SHA256=186A82731811E2B14088AE909E629741F3A3816F4DC6360293D68D9A97F0E3B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.138{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.106{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=29909D3B662A429603C439A25717C213,SHA256=1C83A5D03C17235C3249936859F101C2934B0A7D569553A0D97C97A332ABE1AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x8000000000000000150683770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.106{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.091{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 18141800x8000000000000000150683768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.075{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.075{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.075{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150683765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150683756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150683754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150683753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150683752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150683749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150683748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150683747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150683746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exeC:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6trueMicrosoft WindowsValid 10341000x8000000000000000150683740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.060{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-DC57-61EA-584E-00000000CF01}10404376C:\Windows\system32\csrss.exe{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-DC57-61EA-594E-00000000CF01}3041468C:\Windows\system32\winlogon.exe{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150683734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.054{3BF36828-BB2E-61F9-860D-02000000CF01}5700C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{3BF36828-DC57-61EA-594E-00000000CF01}304C:\Windows\System32\winlogon.exewinlogon.exe 734700x8000000000000000150683733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-BB2C-61F9-830D-02000000CF01}2140C:\Windows\System32\LogonUI.exeC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FF,IMPHASH=6691D3D33C2662107A11540A5A994674trueMicrosoft WindowsValid 10341000x8000000000000000150683732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.044{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000150683726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.028{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150683724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150683723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000150683722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150683721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150683720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150683719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000150683718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x8000000000000000150683717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150683716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150683715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000150683714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150683713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150683712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150683711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150683710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150683709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 10341000x8000000000000000150683708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150683706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 18141800x8000000000000000150683705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 734700x8000000000000000150683704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150683703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150683702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150683701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 18141800x8000000000000000150683700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0F00-00000000CF01}100\TSVCPIPE-f3aae42b-6d29-4106-9be1-1abd921ef3a6C:\Windows\System32\svchost.exe 10341000x8000000000000000150683699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x8000000000000000150683697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8401248C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000150683694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150683689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150683688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 10341000x8000000000000000150683687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150683684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150683679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8403164C:\Windows\system32\svchost.exe{3BF36828-BB2C-61F9-820D-02000000CF01}912C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150683673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:54.013{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405768C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-DC57-61EA-584E-00000000CF01}10405080C:\Windows\system32\csrss.exe{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150683659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150683658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000150683657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-DC58-61EA-5E4E-00000000CF01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150683652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150683651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exeC:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exeMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26trueMicrosoft WindowsValid 10341000x8000000000000000150683650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150683647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0F00-00000000CF01}1005664C:\Windows\System32\svchost.exe{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x8000000000000000150683646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.990{3BF36828-BB2D-61F9-850D-02000000CF01}1068C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{3BF36828-4B39-61E8-0F00-00000000CF01}100C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 23542300x8000000000000000150683645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7500B3F7D06B1F01E15252FE7F904142,SHA256=2D17770BF787DA5917DC4CEA626A898E72D75A672F9691E25A33E042E480AA92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:53.997{3BF36828-4B39-61E8-0C00-00000000CF01}8404936C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:55.626{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B28400F42116E2CC2EFB3A5AE24236E,SHA256=309E1CCFC6CE0F0E2C1648CD7DF5DB00D18835A62C678582B8635587BC87A1EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:55.189{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F207E1E9FA2CEB62EFAE06167CCBA334,SHA256=DACDA9D00AF9DF63261320ED9890A951FEF2ABCD2E1B301ACC73E184B5D34E47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:55.450{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD70B0AAA2F95B1A1AE190C69C0FBE7,SHA256=B90C6D149E900782D804F54EEF40C7CF1E11EA0A2C962C33667CE58D1E5281DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:55.028{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F8AD4D6631A564611ABAFC51BF1700,SHA256=ED83D1B468A191CEAB9FB9F4EF13A8E972F842EDDED5D905D7CEB87F03EB2CC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:56.450{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AD70EB3EC5FE37211B7CD83E4AAEB9,SHA256=293F7B62DB33385DBE31ABD1282E0BAFBB2658541ACDDB4ECABE7FDC6CFAD5F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:56.392{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE39A2DBF34D547B8B5DA4B1B5A1194,SHA256=64496E3ED2D7AF80E03C6B10C3AA8D5B872D368A2FD7CF0C462484EDA7E437BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150683989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.710{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59767-false10.0.1.12-8000- 354300x8000000000000000150683988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.331{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:a4c4:39b:ffff-57090-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000150683987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.331{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local57090-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000150683986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.330{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-128.attackrange.local137netbios-ns 354300x8000000000000000150683985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.330{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000150683984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.321{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local55628-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x8000000000000000150683983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:38.321{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58202- 23542300x8000000000000000150683982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:56.138{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=704E344A4384F6D4A5313A6C8DE1AE45,SHA256=177BA9ECE9C05E9AE6DA6F0DD0C958018BFDBE6ADA7D7A38D583509D61104D04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.466{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C14BABBCFC9A616CCB5CEBE8DBF02B,SHA256=14007CB8290404CB9E3B9E45506A1CF7868D37CBE8B2A805A482F7AAD58C103B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:50.889{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54098-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:57.407{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E699E2FEAE09CA46D1FCF0364AE49F3,SHA256=ACE057A06095DB86B80BC3B84D4CF2A6DA3776F785532824E68394D5ECFA82DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150683995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150683993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000150683992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.435{3BF36828-DC58-61EA-5E4E-00000000CF01}12961664C:\Windows\System32\rdpclip.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150683991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:57.372{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C00E624B94FD6674ED71F3D113DC7924,SHA256=E97B1A19D25526BF2882964981CFF3FEE0BAD3CA6AEE100D0552AACB8CEAFA7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:58.408{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AD4C3765BB5D325C09741462449789,SHA256=4FD9CAFFFA5EA7339753C7D1B9BED7AB2765D086386F38626A059C54AD1C261A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:58.481{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26984FC7C7127AC23E3478C8423DB2AC,SHA256=BC1515E9569D0C9272A08F221AC2D59A61B7C509E305DA1F64CB5EED53F5AEE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:59.564{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AEB565C1FF3931437E554C7B022AC2,SHA256=B1D7B5C61DA2792F3EA1C249E2D3AB89EE3D3AA2A6DD99B9EAF9A65FEC9B8496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:59.481{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398479408533E1978059D23610EB8807,SHA256=3AEF65465A0A3A13404C32D24021A18079792DF95BA2128B8424337571000212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150683998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:59.075{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03D3C8E296F9C16576ACBD8533BA9876,SHA256=783758017B4881E52890B1B62762FBDCE045220DE0F973D4CCBFEB77CABF1CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:00.810{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56DC0D45E760F49D318312269DCD3826,SHA256=C80DBD0211AD17735FFFFD94CCCDDEF239681DF3DCEE6549FCC994D22369E277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:00.513{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2FAC624DAD110D4A05650C2A2E62A6,SHA256=167AB666DB9DD3E7310251742093CBC55DF06FD3B1780D20D5CBFB26D217F838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:00.581{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878B835C3376F0475975CBDAAE47DBD1,SHA256=F168F2463581AAA8395207D9F31EB64750C7CB3FCF016149CB4C98EA96217BA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:01.595{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F33CEB05B01EDB60C8AF6DBF9B1538,SHA256=7DA9D8E5870F6E13554CA14129AD37E3313C0A37D25A3890AC6E33571BD2E9C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:01.528{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C8B0401E5E47A474CAB23395C8844E,SHA256=840DD371176FAE2E57B1E1A237D553ED840347E5F863F10A5691C3F50EC181BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.950{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.935{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000150684016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150684011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.919{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.888{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150684004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:43.834{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59768-false10.0.1.12-8000- 23542300x8000000000000000150684003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:02.560{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27BAD210C76450C433CD60556C70689,SHA256=D759EE4CAEBF2589954DD5C852FAF9E3F6B69927E3303F3E4F48B24F42E83844,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:02.626{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C9D0B0855E4040384A273D3302F571,SHA256=40D661AFAAB44B62A69216D0A4E20CBBE392F6A66217D1462541DE9FE9C09F33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.919{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F31AA3823F63CAB4ABAD7EAB06906390,SHA256=460A6D56204D1D1424D2ADB6448E6B7F9FA97A5476282EB702AF2BBB24121519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.794{3BF36828-BB37-61F9-8A0D-02000000CF01}1864956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.794{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.794{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 23542300x8000000000000000150684108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.778{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4540ADDD76106B077223CC56105197FB,SHA256=F0203125C8EFB615C7431C07DFF085DB21C4C903067FD714ADC49D119DC0B81D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.763{3BF36828-4B39-61E8-1400-00000000CF01}10721612C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=8BFD253467CDB3F41ED2A23FE08B361D,SHA256=5A938F1A6D0FF39BE7B5BD88F46988F4CDAA78134E9E22AC02C46EC688819D17,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 734700x8000000000000000150684105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150684104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.747{3BF36828-4B39-61E8-1100-00000000CF01}440C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.638{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.638{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.638{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.622{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150684062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.606{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.592{3BF36828-BB37-61F9-8A0D-02000000CF01}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071087208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:58:56.717{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54099-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:03.704{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49DCE65168905DFCE0B5554D368388F,SHA256=B0D8D9C7B122FD2C2A1FAE7217ED4DBA46BCC85310BBED276639A01954EE0768,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.153{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.153{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:03.153{3BF36828-BB36-61F9-890D-02000000CF01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071087209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:04.720{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFC684F12242D0955C26DF322288827,SHA256=E82D289D9D1CCED0E0C264CB64FDE825666BCA7D659203135478F771928550CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:05.721{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8F5E293B46B61C2936DAFEA09A7F4F,SHA256=06A3C817D965614077460D4BF1D8A382C310629D33EE719C54CD5F0ACAC32EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:05.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B37BBEC8B60EFB3D0730FE37F3E1A7,SHA256=73EC016D4904F374AA66562BE18AF2251AF113CBD8FBDDF69C97325A147FB536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.765{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DB2E9A92E87C3950AB711895C9B17E,SHA256=0731E14F7D3DDFC6D73357402CCD2C422A841CD9DBD0F3796CB33DE22DB3C05D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1468E0D0B775DC913F2DAD8F16B579E4,SHA256=9F8149E07EB6CF6CC7868BB010BEE8793A4054861FFBC65D3C5E03D61A5C3D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-0-1-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=A1529E6A6D982AA4CDC1A176390F9CA6,SHA256=AE20D9AD5997A7CFAA60ECF0199CEE5E0526A55CC2D6EDF98ED8DDE6010FBB1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.981{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-0-0-40a50000-WIN-DC-128$@DNS-win-dc-128.attackrange.local.kirbiMD5=77B4020E6AF3AF3B71FEA613A09B664C,SHA256=83E03F93EBA7C5A710866708E1853DC9557974A567CFD20550C6516DC1317547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.481{3BF36828-DC58-61EA-634E-00000000CF01}45404808C:\Windows\system32\taskhostw.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150684115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1A6E4409C8F176B65D468C0E0E8B60,SHA256=DFDBDBB58D982A38B854BD3FFCEE6BBCA23A03D90E4F40195EED3CE746852E0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.593{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:07.784{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7D4D1342235B8AACF36E26C583B10D,SHA256=2944C468E2D2679B54FAD9BC29946B04F4D9A4C9DBA581CD857CDF4BB4A8CA4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:49.822{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59769-false10.0.1.12-8000- 734700x8000000000000000150684146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.544{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8,IMPHASH=33685761AD2886071A8D7CFB81130BEAtrueMicrosoft WindowsValid 734700x8000000000000000150684145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.544{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 734700x8000000000000000150684144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.528{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.4169 (rs1_release.210107-1130)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=0B283806F6BEEE6509E9F8C3FCA10286,SHA256=4DC982EC3F8B81CF8BF0F56ED5CEF628C28A1620CC12B94CAFADCD7CE684B6E2,IMPHASH=C336F93278ACA9710F465E21059D5842trueMicrosoft WindowsValid 23542300x8000000000000000150684143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.295{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0161167BB2FBCB90ADC83A0A199E7FA,SHA256=08F6A9A8E4A892364D335FFE3C8CAF76210BF18C7295A9E004E0E8609E9AE958,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.263{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BBA35C2F3C86F685ED644BCCACDD043,SHA256=7C6D46BE06104103F19BA5C1E9613ED7A15205FB8FB51FD3C17D1B80574F48C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;e0b70]-1-0-40a50000-WIN-DC-128$@GC-win-dc-128.attackrange.local.kirbiMD5=7429EBD35D0249245D37B64DF573597B,SHA256=4E53DE40D5E14C2D3BD2C9B4F0D3968DF6C912E4A5D703E77C5D4377609AFA7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;c1bd460]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1538404CFA40760EAECDCB99AFB07329,SHA256=BD877C7EEF1A80B0922D952523A41759C2101819642A7B4499FA02F4DDB2A013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;133115ef]-2-0-40e10000-Administrator@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1DEC3E68A35AEC92CB0E0564338555E4,SHA256=E287DA3CC5DE7FEC09BFCDF2B5E1A26BB0B65524A7DC28905CDA6D42B779E4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;466d5]-1-0-40a50000-WIN-DC-128$@LDAP-win-dc-128.attackrange.local.kirbiMD5=D64C7836B5F5B3B33388358E996D3A96,SHA256=AB2AE8799D8533EBF02D72A867F436C85DF432B0C51F107C4F3E793F4F1430AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;99d2b]-1-0-40a50000-WIN-DC-128$@LDAP-win-dc-128.attackrange.local.kirbiMD5=D64C7836B5F5B3B33388358E996D3A96,SHA256=AB2AE8799D8533EBF02D72A867F436C85DF432B0C51F107C4F3E793F4F1430AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;99cdd]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=6934B55A732BF7D2197644DDE0A92562,SHA256=1144721707BD0EC322C8DA0D2B11593DEF8E2A37E963F5A30274A45C4C7A16B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e99e16]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=BAD2243E3C3198A1033B63D7ABC2CF01,SHA256=A37EBBD70CFC62172A86EC3A3843989EA2F8130F5FB2906CF846A8E72FDAFEC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e99bb6]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=BAD2243E3C3198A1033B63D7ABC2CF01,SHA256=A37EBBD70CFC62172A86EC3A3843989EA2F8130F5FB2906CF846A8E72FDAFEC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e98da3]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=F4446B920A289C7D7A047BF2859420B8,SHA256=FC3294BF50C178A454C808B0A19A8D6DFF55B98B6B8EC4012E8C9739ADB3B078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;12e9cb8b]-1-0-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=BAD2243E3C3198A1033B63D7ABC2CF01,SHA256=A37EBBD70CFC62172A86EC3A3843989EA2F8130F5FB2906CF846A8E72FDAFEC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:07.013{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-2-1-40e10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=02D99E958F324DDAFB2F11060EC2EDC3,SHA256=0DDAA33D05075CF6BC2B88B78DEC1641940D0745BB7DDC3EC21364ED0399A919,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-2-0-60a10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=F4446B920A289C7D7A047BF2859420B8,SHA256=FC3294BF50C178A454C808B0A19A8D6DFF55B98B6B8EC4012E8C9739ADB3B078,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-8-40a50000-WIN-DC-128$@GC-win-dc-128.attackrange.local.kirbiMD5=9C651DD3A547FAD0457EE2EEA7DF624C,SHA256=8D706E623F04EDE7D4BDF9EFC0B3F3D7C4F70DA0FD8C6D55498FC8562FD1AD5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-7-40a50000-WIN-DC-128$@HTTP-win-dc-128.attackrange.local.kirbiMD5=45C78B1E4923AAE8DA82E9AA063E0DCB,SHA256=172777FAE1C72CB002E4E538ECC15B35F0759C8B2A7E16792EDD58B7D97BAE88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-6-40a50000-WIN-DC-128$@cifs-win-dc-128.attackrange.local.kirbiMD5=92F494DE80771F472ADB197406E36BFF,SHA256=F1C067AF263E6EE289092482952F76C8BAFE91A49EDFEB0B53438D251AA90ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-5-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=37C2C327F7DEE413893A863D6EE2C897,SHA256=350FBDD759E8CCB5B2B2635781A25ED21EEC851DC992E17BC00330C3C6DB5FC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-4-40a50000.kirbiMD5=A850B0C1F4568EBE9F62F12263490346,SHA256=5FB8EC54F96857208E770F54A778FB69E36CACB8BD411C65EC1296D0A25795EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-3-40a50000-WIN-DC-128$@cifs-win-dc-128.attackrange.local.kirbiMD5=E7BB60CDDF40A4013F55E00C7123678F,SHA256=3088B862CE90F943E70CC6ED70859451E9AF92F53800D56870623514C0DDF819,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-2-40a50000-WIN-DC-128$@LDAP-WIN-DC-128.kirbiMD5=BC4CF1CD4D3403BEA6FA690DC53B08D8,SHA256=56FA34F1DFB9B985A9EA6B0263D7488E29CB9ABE0397F5C8C5A348ED30F9D856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-1-40a50000-WIN-DC-128$@ldap-win-dc-128.attackrange.local.kirbiMD5=1EDA95E938CA1AA89EC59AB6A4521ED5,SHA256=69D843BCFE339BED1ED0F7A2BEEC8C076C3A7EAFE4547177F9796B42B88A9811,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e7]-0-0-40a50000-WIN-DC-128$@cifs-WIN-DC-128.kirbiMD5=2DCC30DED8FCD0B9C576D6AD67D3DDEA,SHA256=C8B4BF3285461F5633BA0347113E7B2128438745B60040BA77415047326A0087,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.997{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Tools\x64\[0;3e4]-2-1-40e10000-WIN-DC-128$@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1139BBABFF5017D749EE1A4C01A3D257,SHA256=E669F8AFDBBED8887503CFC8F2ADD4928DB3DB6E5FEE3C152EBAADEEE2E02A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:08.846{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E442B61477500A8C3DD89B92F5AA41F,SHA256=1E28AFA0B6EF560FE624F1304DB2EBB0D17FB18007428AB74664670F72E13EE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8768FD4AAF50D153B190625C0749D5AB,SHA256=6654E1C0A2DFE8DB44D4DD4FFA745A5309C29532846E168522A6D226BF050E7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.700{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 354300x800000000000000071087227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:01.812{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54100-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000150684208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.700{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.700{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.560{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150684197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150684179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150684175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150684172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150684166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150684161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.544{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.513{3BF36828-BB3C-61F9-8B0D-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000150684154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60682608C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60682608C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.341{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150684148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:08.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F394204630A5A89F040401F0CB7F19,SHA256=F1F583B7EA075731F95AEFC803B6A046D3A10789DADC339510F69FFC15FDF49B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.909{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.894{B81B27B7-BB3D-61F9-520D-02000000CE01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.877{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1936589DE9F5A8562B1168F55B383EE,SHA256=4F13D84B115AE46E0ED540C5192D653154010D799EDF9566BB5D4C486D8588E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.950{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.935{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150684270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.919{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.904{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.560{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93C8DD3C46BDAFCB46E8B63398F906B8,SHA256=B7B645C4034603D34EB14FA3ABFD7D03CA148F0F73443554F3A65C11B0122B1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}21245460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.372{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150684258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.356{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55656D80F856C83A0E31569B76EA98A,SHA256=5882DC383F6BF242EF9575F0759B3C7CA170DEC1946F7DD1077E99A7038AE431,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.424{B81B27B7-BB3D-61F9-510D-02000000CE01}36564540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.237{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.221{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:09.206{B81B27B7-BB3D-61F9-510D-02000000CE01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150684257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.247{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.231{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:09.217{3BF36828-BB3D-61F9-8C0D-02000000CF01}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.919{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C290334FE1C863E2AE06D18AD4384EC6,SHA256=50594F9610A2A3300D38AC3E3F7CB6143BD871E9D51F4E2F71079E89B9C88D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}18005308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.778{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150684363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A919746C2474F387BE4DBB16F64985B4,SHA256=DF073DBE52520C4419F6D548BFC0DF50A45A8393DD9889A1B10D1AC9C90107ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.622{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.606{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.592{3BF36828-BB3E-61F9-8E0D-02000000CF01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8757B06533FDA5438F3B6178CAE8F326,SHA256=1FF9E6DADED1B5740044F7DFB38431C63DE4B1A7376152163A200A32BBD4BA9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.424{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.410{B81B27B7-BB3E-61F9-530D-02000000CE01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07EE0EB7ECC91F2AAB0B8D68BA739ABA,SHA256=6EE0CE00796140121006BF76441137A2720C2E5E2FA88407AE075ABCF1E35391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:10.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87EEAAE83A14349C1206594E8460EC16,SHA256=7C5C0CEA962D5991DDA9C7824B7CD91515C949C4AA5D5F22A08BB1AA1F12565D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}25564868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:10.106{3BF36828-BB3D-61F9-8D0D-02000000CF01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071087259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:11.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E623F977D7B2836726E0B5BAE14F1C2,SHA256=1B0D0215DD76A200DEDDFDAEA3489C2625ED54FCC34C3D9E01AF44A7243D6218,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:11.424{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07EE0EB7ECC91F2AAB0B8D68BA739ABA,SHA256=6EE0CE00796140121006BF76441137A2720C2E5E2FA88407AE075ABCF1E35391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:12.091{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D170E6AE4412C39C782BE1D8D764C183,SHA256=7DF4F18CD1CB5FA0E81BD31D6987622265A6B2A6D78D41C38C0DB1D5EBEE8DDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:58:55.662{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59770-false10.0.1.12-8000- 23542300x8000000000000000150684371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:13.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2563969C4588C8D29C5560D5D84CFBA3,SHA256=DA87E4D7F0EB9CB8DB425D3CBD2CE79635DEEC81AF95FEFEAA5AADCA911A6568,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:13.106{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4C885E0863676D372607B6077CC480,SHA256=E37ACD819D61840246F503F5904106BFB19484ADEEE51F9B1EF99F8B7EE7CAD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:06.875{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54101-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:13.002{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A592C6B00AAAF3E4C06BF273A17EA25,SHA256=04CF837424D861ECEF3CAF3B4FCF94E664E38A5DC939C0EB989C4139BEC5551B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:14.138{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E757928C9C20090C316076CE4A04499,SHA256=D47BDC08A03CA723AD0584E70A441C4D0E9DDE2432FD4A029916081ECBCA464A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:14.237{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE3A0982145C71D43B4A9D3A15EE4BC,SHA256=E3167519F6C63E73C89890D4287DC5F0295DB46FD1EE0DBC90E75CB3DCE39039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:15.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748C1FFC405E78D454CB6603BA2D19E5,SHA256=42436D6065E2F2AB73A25BBB10682B60D16C32D875F4FE12699A09CF937E2484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:15.299{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF15556C76D37542FFC033D6829CC118,SHA256=43728623E2BBBE054A950D5B2FC56FD409ED3E42CC0B40510AB31717EC4F0BDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:16.299{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734F2F90D97B69D7F17E3F9045603D8C,SHA256=D433E5BAF9D28F811E7180EE36406E46CBABCA415B403E1F3010BC5B9F097B37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:16.200{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE283693DAC0ADA2261C66631B2C74A,SHA256=502F64BD9D28E0A542800D7F2A422049FB41D6B49D75A7CCFE74FE35AB24A57F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.778{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.766{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.766{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.606{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150684412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.591{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150684383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.575{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.560{3BF36828-BB45-61F9-8F0D-02000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.232{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1D322F8B036AC2A797F172CAD46952,SHA256=DE6CD4E28D0ADF2EED528B79A063EA24806AB2BF462695ADA9F8230BF8D46950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:17.331{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A9E7284E8549859722CA7F34DA9468,SHA256=04DFC17D0E6C78FA40E20BEC1A347CBCA1FC299A647DB06CB9ECA49D080DBA18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:18.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F256714B55D05E153B602ADBD5628E4E,SHA256=FE2285022B0405CB132A19903750D8E51A46C4537E6A32C494B643D4CD1A53C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:18.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3645038F74E35416C90E5AB77F6CCB5C,SHA256=4F955218EFC304B8E33CCC17D83968B2F24AF603FBD1B6D99CEDA8F08129E04F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:18.419{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF6FC3E46F91021674866D61BF3A5C3C,SHA256=674FC27E1A7DAF2B4DC76ECD47A0957BC5AD067EFC26973CF3B732015D3A07B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:18.346{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC0C2C2DFBDFE7E0F39FE2FCE5B388A,SHA256=D1661161E50B138C98E29AD5F719723BDDA4A749699748E2A859B1AE3C1FE7E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:19.638{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F346746B43F7BDFC1EE290D59E0355E1,SHA256=17CCC626A300BA19CFF59A961D71311C90B01830EA000997FB946B0E7170C1C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:12.687{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54102-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:19.424{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1D3E708275D43568346B5AFACC4576,SHA256=F50016BA1AA17575C46483520016A3B6EE9A38DC75CF0C0B6D8B62C4FCFB1A73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:00.803{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59771-false10.0.1.12-8000- 23542300x8000000000000000150684434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:20.669{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171FC1F6D223493DF8C76E15E4C611C3,SHA256=CA74CC9E618C937F361702C4D06A620A6EBEBD147EDC093658C665573FFA4C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.940{B81B27B7-BB48-61F9-540D-02000000CE01}28964920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.706{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.690{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.675{B81B27B7-BB48-61F9-540D-02000000CE01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:20.627{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6611C630245334CC07DBFDB1389FBE,SHA256=2DEFF47C662CF33992BF12D9E65747CEE5D743722975157CA7F21358419DA238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:20.310{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E3D778A571AD3D77484DC38CCF9E90E,SHA256=CF12A599D50262435857A1095D9940691C745B4374A2C6CABB2758805CE7834A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:21.700{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440D5AA7B8558D5EDE8F4AAED3649C93,SHA256=6056426E1599601E9E695CAC07017ACA70840FAF24DB667AA4074EF86A1DDD58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.831{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.817{B81B27B7-BB49-61F9-560D-02000000CE01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.690{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DF5C406D02430C957A0167562AFB51,SHA256=3829DFC70FC2D4ADA9E06BBFD893C8C99A84D09674E13E0B50D904EBC01A4493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.690{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A734D5FA96E5C586B4E1BD6E889CB597,SHA256=577CAFF995FA661EB5502194D0ECA99FD2229B5D7728A39E369D2B91B3FC2720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.643{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C90FC4631DB4EA8145BF0D48B8E023B,SHA256=83528FB2674826BE088579FB004BA8AE15131A612BC2D7A911F115365B7F32BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.440{B81B27B7-BB49-61F9-550D-02000000CE01}12123512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.206{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:21.191{B81B27B7-BB49-61F9-550D-02000000CE01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:22.716{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDBCADAD955DF46BABE94B915B2A477,SHA256=025F029F0900CED38C0864AD2F11E4D480E2D632ECCFBF1675ED76150DDE7590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.831{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DF5C406D02430C957A0167562AFB51,SHA256=3829DFC70FC2D4ADA9E06BBFD893C8C99A84D09674E13E0B50D904EBC01A4493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.690{B81B27B7-BB4A-61F9-570D-02000000CE01}8524904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.659{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB9850B12ADF5935636BE561BBDBD41,SHA256=AF8E6364341C58F8AED2097AA3FDA2598E2A92333EDDA8D01254D12229D46FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.518{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.503{B81B27B7-BB4A-61F9-570D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:23.737{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2D96757BC361585E70B5A7C723E293,SHA256=9278E0216A70965C5692B283058B266B750F6F31E8263794310496A23D964BAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:23.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011F44B45688571ECA4793937369755B,SHA256=8E4A640A735104BF8E8815259F99DCB3EBB496D1A41DACAC1A4229DDD3780ACE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:24.893{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEECE1055417487F1719733D32EBDC6C,SHA256=3BEF442406B644FC9A0B2A3E37B9F58F5DE3B618CF5D3F3795F187B53CCEC422,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:24.747{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549AF98E10F27645B4B321280498494F,SHA256=06F19F53C0934BB92414E4D0618F930F5672798B156A4F7CE83240C0A11EABD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:17.734{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54103-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150684439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:24.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C7AE5156611CF4E142BEAA2B391DC9,SHA256=B974DC9B8ADAC7BA4C43D73831270A9DB220F5A625973F8D822C1A6766239A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:24.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F256714B55D05E153B602ADBD5628E4E,SHA256=FE2285022B0405CB132A19903750D8E51A46C4537E6A32C494B643D4CD1A53C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:25.763{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D661588C4065B5F7416B6298A87281F6,SHA256=AC3743FCD4F8D3A35F1F98406FDAF9F69C346DDEA8F07373F182982352F5D8B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:25.909{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F99CA7D3D28B3EDC0D540696C6FFA98,SHA256=251B8FE1C3FF2879B9B93F9DDE48C869EFA00F5CDDB0C9871C4670EDAB744A45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:26.909{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CDCE4BCACC452151F98C21A1FA34AC,SHA256=9F56783EA8440562D139FE818614ECDB7295CF4B45790508FA98BB3CA3E42B1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:26.778{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08D558B1D67031C3AD348C5628A227D,SHA256=EEAE7D79F5F558E22CBAD2E4FB1256F4F3DDF5F8F921CF2619A22F885D8726CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:06.819{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59772-false10.0.1.12-8000- 23542300x800000000000000071087315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:27.925{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367EB09DA8BD26118696FFF922AF215B,SHA256=DF168B55C4ADFD8D2389F7615E7255C93358E814D6CC8018488582FDB4B85DDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:27.856{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5784DAB8FA245403695551A18B6DBA6,SHA256=63E3DCCB79129044DF457A3F07076040C86BFBAFC3FF266E4704A0AA51589A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:28.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99AE2BA414A7B35CB13BA3B1E335E229,SHA256=2653B0752ED48054EF7D2CEC8021FEB767D3D4CFD3887085A28ABC6E6EFC8DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:28.872{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE5E5159D69BA8F163F1D88AB0F5B68,SHA256=40541E654F764221CC46988BCA8E493602C1F852EF511252F0F8B9624E48F3E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:29.935{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D5730FA5C2D5BF2420F4A3E870750C,SHA256=4A6EA0335138BC31C1F8123EE4D774921B536B45C6C7BAB3C10D9BF9B92688E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:29.956{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68087B8B333D1FADDA18773D24FC4BD7,SHA256=E1FDC21C4DF11A6E75F7DE2EA05617E5B0C38CBE422D540A31F0F2D50110C6C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:22.812{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54104-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000150684446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:29.216{3BF36828-BB2E-61F9-880D-02000000CF01}5192C:\Windows\System32\dllhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 23542300x8000000000000000150684450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:30.981{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4D3C4053738B853E4B0689D1698E3,SHA256=2BD517F6F598DDB83F9A872E9F354D7EE6F7DBDCC05A7475B34B28408B16C891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:30.971{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D18AF57C3938D99D1DF9D82FAAB2052,SHA256=894D7B52CEA404BE997DFE7531183668BF6D91E483F5F2D3C5A3FC2FB070406C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:30.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316FC2C0C0A697B319CCBB0D800FDCDD,SHA256=0EBC91635DC32E60B29EE06D5032632D58C35E3F4FE3AC3D1058461B42BA7822,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:30.153{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C7AE5156611CF4E142BEAA2B391DC9,SHA256=B974DC9B8ADAC7BA4C43D73831270A9DB220F5A625973F8D822C1A6766239A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:31.987{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49106DD9D500670D4B14A7621E800F2A,SHA256=1C64CBA035BF98C05C4CB0F1CE646E6CDAEC12BABE5D3E9C18B641CF4754AA57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:12.693{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59773-false10.0.1.12-8000- 23542300x8000000000000000150684453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:32.294{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316FC2C0C0A697B319CCBB0D800FDCDD,SHA256=0EBC91635DC32E60B29EE06D5032632D58C35E3F4FE3AC3D1058461B42BA7822,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:31.997{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A154A0D15F691997265557E243700BFB,SHA256=EFD8D4B482E85ABE088DFE4A57D0BC93649AE84583C2D93BFD6B5587945D66B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:33.003{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D9D98D001DED4C89CDCCC8EC00670F,SHA256=97053F04944B75199DA41B0CE8FC5A2A298C17DB170E2D59042FE4AF5A636EEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:14.819{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59774-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150684455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:14.819{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59774-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150684454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:33.044{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9D12B699593F22E0E5E435B379DCED,SHA256=01A5B5B3300148ECBE8460EC9DA4E82F27B5C436C7DB0B0E6F8EFE54492880CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:34.060{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE75F6AA688939BB0B59343329F0E8D,SHA256=1C5945EC020B9A4E5E9FCB23C92C8054EA33DB98C726F9FEDEE1688237DD59C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:34.018{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54129FA7CA4E4E83A799D6967E6CE03,SHA256=B4646E66020CEB7C77B5DF12CFBCDE059BF4D8E6758701988319FD41439153FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:17.818{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59775-false10.0.1.12-8000- 23542300x8000000000000000150684487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.278{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB607F86CCD7A662C099A2CFD34BF11D,SHA256=15D1881636C431F3B6C88F9A875C4031885AA4BEDC0A12897296373E16A76E0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.185{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150684458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:35.060{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19907BDD0BB7608050533B35DE9FB39A,SHA256=9D2AD2A7579E35B8F226D484A092F6A84BB80ECC90A73FE3D243235ED66FB72C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:28.720{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54105-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:35.034{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF65CE5EF33BA1B0AA62096042BEFB7,SHA256=616235CCF69FE60179B5DF4ACF20756E1681D2082430A4FACBB5D0A299A78EE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:36.497{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01ADAF57D4C7F567086A11DB20E37C0,SHA256=C6F9EBE561225FC05C9352AF5CA0F3AB246B17FC5580543D7D3D360FFEF44F83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:36.049{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A11EE703EF5C027D6FA93E3F1D3EACB,SHA256=3971EA54A261E50F4598BBE9CF47EDE8DC13EBAF234DC9159A4CD99C12560123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:37.731{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA56DCED24C0500C36EC2E9FFE79BA25,SHA256=377399D8C30E5B40687FF62C74ED9A3AA92CF191EF5AF8AF25CAF868627D5E18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:37.049{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A919267BCDD91C9003326E220C479AD8,SHA256=2EDFEBDEDBB2CA5549651D41DB1A2749A7D3AA1E38EB6178B2B2DE5852987CE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:38.747{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8F427823B98603DAD7704FCE1CA432,SHA256=B6ED41873C354F3E9A785A4D8D08B4483FCC04D01B02DE447A661163A9C01A1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:38.049{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A2533F91332E1602984DBA556D73E5,SHA256=E93C0E3FFBFDEE112F529203EAE5AD2215865DF264AC3A046B37767934C78BCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:39.763{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4809FF4C8CF5398768052C9603E4B8B4,SHA256=442B3BB55614B35973565DDBE11226B061D54950F9E1D1240E6A7EE86F265BC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:39.065{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C146C8CB20A569C4FDE2EA1E3B05A76,SHA256=E4B3DE6DE8F9FD6FC73233F715B6F471FE1855521C31FCDE77D4CB81B3A00207,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:40.810{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8B222AEB6E58C53F60B673F4BD5081,SHA256=E510C8E4C546F728630F04B348112E5AF84070C5C15672BF6894AB930CF3ED77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:40.065{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153CED2070548F1854CCB0564497E449,SHA256=859C96C729F55B6AC07251953AAD3E0132CB21150F23515061BFC0ED31699DDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:41.841{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF384E4C0D0FF7F33716D452F30EE84,SHA256=BB544277A4D701ADD154D367ECF788E699FA755AC978081482E594E9B176903B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:34.703{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54106-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:41.081{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF6A2696F23037283CE1380BB76947D,SHA256=F4852C8FE83F1F5FE540C2B1A8DFFCC3D08A0A71A818A005C87564D5B6D84B85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:23.740{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59776-false10.0.1.12-8000- 23542300x8000000000000000150684495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:41.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70FD86D6BFC087B409B838E5FDCE5BBF,SHA256=E85973D39C771FB8A4FD7402E7D607DC6B636BC3110E6C8888F8DF784A3ECAD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:41.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BB64E3C3FD9F29405E39FA3B914DF8,SHA256=AD5CB17234DB6C4B3A00DD946E458E1A308363884C27710B4790B5CDF83B58B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:42.872{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68D6F00EABA8C62CAFE35B859EFE03F,SHA256=2512DF671B5A1905BACD6E79FE38FA83AB57A02D2E9F386483023E89A3AF0CAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:42.096{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65A0DA523901FAA9005400330FF26E2,SHA256=82D221E82E67ECF93E618FD6D2CBA07307C8B3347FEC4728D555942AB59233FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:43.888{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1928E7E92FDEBA62C433378F309588D7,SHA256=5E99EC57D6306A653D27FC93393803A81CF562D50165246BB6FF559DCD1E3C9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:43.112{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B243BB1E3BCBDEF500FE81C5CB01996,SHA256=D1528C5BBA67735649CEB6174735DCF4BDC05A5E1CC7915A756AC28853DCF1B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:44.889{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78886D151FA937023839933C88CE72E1,SHA256=A84CA2A9CB5C687D466B90726E4247373228184A0DB3643A91B40FC708D82F71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:44.128{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D68861CF8A237D220EC2FF663A0C2B,SHA256=B643CDC2F3ECE7F9F0179CE1FFF89EE57353D1033C2ED189FB794D0B1C36A590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:45.902{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488574762FBA410EF023B25F4AB208F4,SHA256=91DD925B9E97D00070F3BFF8603F72C7EFC9EA788A6A5A166E0D2733F8187C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:45.159{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559C925BBF4133F8B64962E800750375,SHA256=C7935A9F5EA5D6C7E76F45B51677D23C63533AFCE3F46E4DE71C972DF701B5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:46.906{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A1A9C1D25F39A886B55DE9A29D01DE,SHA256=1CEAEA63868D81C579BC2F6779C4E368AA1DBE49C602AAC00ADE3765FD0FAC1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:39.827{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54107-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:46.268{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C35940F9F42A05B702F0382C6C96E8,SHA256=633BF233A5BBA67E8110D886666FDF4F24F4F3C10D1C7EFFEDE174090FA78686,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:46.159{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.922{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7A183804D41788AFE430B3C5881EA4,SHA256=F8F601C4F34FFD2C0147CB94BA2932C39F5176C377DF9D4A62F22102B2F488BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:40.812{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54108-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071087339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:47.268{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467239DB132511E56607068FF46E9AE9,SHA256=DE4B5460B3CCD01997850B46D6C59AB4B7D6EBD688614BFF34B9150059AA03F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:29.634{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59777-false10.0.1.12-8000- 23542300x8000000000000000150684504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760CDC809F95DB43CD546D9E1A37781C,SHA256=6F52E34E3CB2EF3A65B724AA216E48593FDAAC134C29496B629A521609767282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70FD86D6BFC087B409B838E5FDCE5BBF,SHA256=E85973D39C771FB8A4FD7402E7D607DC6B636BC3110E6C8888F8DF784A3ECAD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:48.969{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528FCA65E3DF6229135A385EF0521942,SHA256=3A65B1A747E90CDE45CF4128BCB6FD537169B852510BCBF7D425746C6E9E515F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:48.268{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED42A0925C5BF423FC4EDF2E166F7C62,SHA256=9D66B38D04D92FC243FF38F08B6E11266EFB761B4CBAB264877CF126DCAF647C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:49.299{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09414BD2B7128389A7C151C5242FA266,SHA256=67A453A8C42383024D91C8F16EF923D28A29EF9FB93C7D2B85B3289CBA6AC9E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:50.362{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C1DA6E1C23C8806C1CAD99D709AF3E,SHA256=FC354A26DE795D505044F77428EB55F75537AB1A408A42AA0C9ACD614671A9FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:50.016{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FDE5C1FF9D6F5D3F6697F42C9B5EF2,SHA256=18C7FF37321A3E7032A0C2A0CFB5FD99341EF3DB1168999C976950C58B042494,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:51.503{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF17ABCCE09B0D03E2E7A1651BBFA29D,SHA256=99BCBBCD6B500A37333F39670B6B5E9524957D8472E6A54F1C99C4E2D5FC08DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:51.016{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56DA32703BA27265541B3FF8C152A18,SHA256=3E9A7E3EDE9458EE45D0D88D0D9195343B5AB669906DED82369AA4BFA70C7303,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:52.596{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3515F35F817302E633D814240268529E,SHA256=1EF05E9867891B1929AD5C059BCFDF8383508E9184DF5EECDF2AC09922C84DA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:52.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79F17C36FC5936D14625E1FA44D8491,SHA256=4EAB524048A7A828AACFF3A9BF86F36BDCAB68B06A5FD0079860718D4432DAF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:52.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760CDC809F95DB43CD546D9E1A37781C,SHA256=6F52E34E3CB2EF3A65B724AA216E48593FDAAC134C29496B629A521609767282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:52.031{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F96FB2665B02418CE6EB81791AC2702,SHA256=D045949031D7C6B5976E99D31749C90AA0D93DA18AE9E9AB0D1A084E19B84A0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:53.799{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61376B8BE1CEFF0AD334AE4A73C27479,SHA256=FC92C6B1ED6816170AE8E8B1B24EC6D8758D382A246334CF5D5995ADC620887D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:34.696{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59778-false10.0.1.12-8000- 23542300x8000000000000000150684514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:53.063{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:53.047{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DB1CE57413EE6D247D5E9C08E725DA,SHA256=B4C41BD542FB8E22597285BDDF53B8884BD3EEB463C386D25047CA66EE712B80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:45.734{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54109-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:54.799{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FA8CCDED289CEAC0D3C831CDF82A95,SHA256=320E6F0D4B38DB6A1F6ABCD627E9DF63FF452B18756A25AD0D434E77E3716470,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:36.618{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59779-false10.0.1.12-8089- 23542300x8000000000000000150684517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:54.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79F17C36FC5936D14625E1FA44D8491,SHA256=4EAB524048A7A828AACFF3A9BF86F36BDCAB68B06A5FD0079860718D4432DAF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:54.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187FCD384503336A7F4E8892FDDC01C5,SHA256=2F2A84D05E6A07D8E807B6D64487977454D35C08B247572C8E14CC4B6D73547E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:55.815{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55BE3DD980A6F2FF4B8368C89406751,SHA256=2F644F5D977F9D2542E7971D539596035169511D945F053D187BA5CB254AF882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:55.094{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D286B95D2A459307C5975C1EFE54EF,SHA256=8DEA20A1050D436ECF265E6E9089A541BE4D4A5DF17D992B2721249D0178CDDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:55.628{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D8480B65E9E02EE455AF172CA46097FA,SHA256=197D3756644F7E6C1704FA8564BD35C9841C1CB21F2B46D63F1E6C7348075215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:56.831{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320422EF10AD5DA1A79FB3BC99027287,SHA256=07748E50B0E5EEA6FE21ECECB3007A0CDD9C93D11E5EC96C9F22AB656B82D0DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:56.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403FC4F665DAEC49D9CAB21F446519E7,SHA256=4DE635CE27EEAD9D3983026978F3E8C746AB73171931B3D7E0FBA31C4C240D05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:57.831{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD8D1865BEF57AEACA5A8212910A0F9,SHA256=53CD36CDB9D3AA15F0B30527A9F11627B9EA2BE940B1AC40A148E6F947982F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:57.156{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC20B990AF7F7F44DA7D4AEE0AFA75D8,SHA256=549C9653BFD1DD38201E0D7F1F4DD8DE25772517675ED02E42F6B57CA43BFCFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:58.846{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896F99FC0820C6794CC8CB7A90326DD2,SHA256=CB7554586A991B5F0CBCF00BDD860EF1ACF4A8FF67042AD26D3B3A86B2CC8ED8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:58.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69B753114F6E2AC12C153462AEA2761,SHA256=02659234AE158162F18B7CE6AF30E12D821FAC9AB9063AADB150DF785D01C6C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:50.812{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54110-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150684522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:58.094{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F61A368DE3FF36277F6E1485BB75A20,SHA256=23E0AC5A58AF204DDA63538AE551B618AAE747640E4D858568B9C469E046D3ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:59.862{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893F09B49A6AB5C333979BEB9311C4E4,SHA256=28678F1A9B2EA5C6540005C531A34A537ECD063C7023FAA132E4A390CB83EE6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:59.235{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE350D685D6C7C8D5E8B0F8044A60CE,SHA256=48EDEF0BE5D70B423620D94D83A9E93792BAB6F69E09BD917594A9E6A6395A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:40.634{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59780-false10.0.1.12-8000- 23542300x800000000000000071087356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:00.878{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619D3D5C5A5C844001086FEC5C39E283,SHA256=8AE9E02D5062180C67DE78A46CE19F19E9685FC9A91DA1B4D676EB942F00E7EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:00.250{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF09C7E11C29BA423ECCD3B14F762E31,SHA256=8053FBCD59550BC692FB1A7E6A7BF4E1A93DE03DD499AB2AB1104AD123D2FFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:01.893{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5E8B1AD94A1621CCB96CF3CC0B8EAD,SHA256=B13A9B39D4795502726DFF17FEACACF98D7A47318320EF3429E135410887A967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:01.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7653D5A67E965E692CCDF636430907A9,SHA256=3346142123B48DFEB327D7D47695E29A15E3E5BCA99C995BF87E39E3A6EAFDE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:02.909{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93C3DBA9B966AFBD79012A0499A62FE,SHA256=FBCE9C5DF910144CCDC663126FC64740BCA06C78726C96C95712294347D0EC0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.969{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.969{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.969{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.813{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150684541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150684535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.797{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.782{3BF36828-BB72-61F9-900D-02000000CF01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.297{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068B0725281971510BC4203F5E0F65B8,SHA256=36A532FD3A84EF243D2ABC3166995C633579B0E95AE42D57DF44EDD6430DB7A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:03.925{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18BC39C1776BA86F04C179A6FF03658,SHA256=27E0ECC1B3A412FED1CDC2192A00F422D3B33D3FF470CEFFE963695785BAA19B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150684637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.766{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 10341000x8000000000000000150684633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.641{3BF36828-BB73-61F9-910D-02000000CF01}53645700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.641{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.625{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.453{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.438{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150684589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.422{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.410{3BF36828-BB73-61F9-910D-02000000CF01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.406{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E6700D0FBE3E71ADAFDEEA72A624DB,SHA256=874A77B3955161968FC954D55FBEDC4228F03C01456E8555E116153F55CD2153,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F17A79450BBD4BC845C10409B10615,SHA256=48E76552F652C5D532CDDA5931A85B8382DAC59B5B71BEEECACE473D16F12033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:03.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=154D0DCA17CDCA5738A0EB2691C2F438,SHA256=FCFC34C64E48239C37740FAA6C4B43E162829BB80A097746D24B4B88E2F1081C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.940{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74FE8FB89CAD7294454D27066F05F8D,SHA256=DFABB1D69D75FBBF39476586115E50BFD637C61B23CD3E9AD76FA8EBB36A8E93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.781{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C9B6FBF068F47A4936F49410B099842F,SHA256=17C8A366704120CC6B886A5915738B19B8DFDD406000AC562AB8E81716216871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.781{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C5B1C032DF695FEC315AEDDF5858D3E4,SHA256=30045EFBCC4F78025F4178F4CF33B6FAA3B7E8A4BC91BD249C4A54B9337DB344,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.547{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF2C5B6976ED0DE8338FBDE81422F89,SHA256=205AACE8138260AA66C098E1213F3BB44779B2C7E2D1CCE6100AB2ABA8AC02DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.362{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.362{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000071087371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000071087370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-BB14-61F9-4F0D-02000000CE01}50205068C:\Windows\system32\conhost.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.315{B81B27B7-BB14-61F9-4E0D-02000000CE01}24002204C:\Windows\system32\cmd.exe{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.323{B81B27B7-BB74-61F9-580D-02000000CE01}2564C:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exemimikatz.exe "privilege::debug" "sekurlsa::tickets /export"C:\Tools\x64\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071087362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9755226DC2640901209D1D897A7B03D4,SHA256=96EA9FAFC0A2B52B957BE923F6D92D8DD832ACC3562C48AF007D466D31813211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:04.221{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84D0D30ACF44EA8EB1AF396CD761AA74,SHA256=A62F638FB53819C3CA5F8C741962FD94B0D2A2AA8C31A6B432C33A97A5488557,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 22:59:55.890{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54111-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150684639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:04.422{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F17A79450BBD4BC845C10409B10615,SHA256=48E76552F652C5D532CDDA5931A85B8382DAC59B5B71BEEECACE473D16F12033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:45.681{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59781-false10.0.1.12-8000- 23542300x800000000000000071087376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:05.957{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD72970119E3D415BA503B2FE51049D,SHA256=AAA915C8D31415593ACA4BAF7819A282DFEE9F8341DAB5FB97DEDEB6424175C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:05.563{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF9FD9EB0C18C35C24D274BD984308F,SHA256=685A95B938DA2B54D9C8AE98B3C8ED6677A3467618307992E247BE3BFCACEB26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:05.346{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9755226DC2640901209D1D897A7B03D4,SHA256=96EA9FAFC0A2B52B957BE923F6D92D8DD832ACC3562C48AF007D466D31813211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.357{3BF36828-4B39-61E8-1400-00000000CF01}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local59782-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 354300x8000000000000000150684645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.347{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local64682- 354300x8000000000000000150684644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.346{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62571- 354300x8000000000000000150684643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:47.345{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59322- 23542300x8000000000000000150684648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:06.594{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D1E160F40BC5C6814E544024E3F28F,SHA256=DA7E2AFB3C7CA2818EB0B4428EE0AB98B63BF93BBCEC8CDF6AB1EB8C75035150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:07.610{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95EF3CAC10603B44A8874F8EE39E240,SHA256=DF28D754523E558DF71012009E64013E360F66A1775299739906CFB65255054D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:07.064{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86B3CC7A13502697E231FEF4C812ED9,SHA256=F0679D47C2DDBEEFEB2FE420656A279A935D0D9CC888597B3E7901A264B1874B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.969{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A0991DBA405642F31B98A5ACDC6261,SHA256=E31A076E6E835C526FFC3A53D83B7CB43963EF9CEAE78FE8CD66ADA545E1DFF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.703{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.703{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.703{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000071087379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:01.733{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54112-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:08.099{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D84A88FDB98088F5E3D60B1A4A52F7,SHA256=ADD2138F457EDF95EF134F00C4F73DFBC8D79C1AF0C537DB13802C1C6A54BCCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.547{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150684692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150684670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150684667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150684666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150684661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150684656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.531{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:08.517{3BF36828-BB78-61F9-920D-02000000CF01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.953{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89F4DBD11F65EA99C64D7072BC0DA3D,SHA256=DDAA10DDEB6E530A249CB4335AA96D2BA462FFC3DAB614134DA3BEC2E83AA5A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.922{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150684765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.906{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.892{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.912{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.898{B81B27B7-BB79-61F9-5A0D-02000000CE01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.240{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.224{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.209{B81B27B7-BB79-61F9-590D-02000000CE01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:09.101{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06F9DBC055BA219446805FB97820755,SHA256=ADDD2C9E412A5113D05B52D750B0496215934817B5B027B39FD260C06273E60C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:51.727{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59783-false10.0.1.12-8000- 734700x8000000000000000150684757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}20285980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.376{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.235{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.219{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.204{3BF36828-BB79-61F9-930D-02000000CF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:09.203{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E96330CFDEF0F613F1978ABC8079B17C,SHA256=EB1CBA191EEA5DE4C112CB35B3FFE53655F6A528DA3D47E0E3D8B371EAE742A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.771{B81B27B7-BB7A-61F9-5B0D-02000000CE01}18484648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.599{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.584{B81B27B7-BB7A-61F9-5B0D-02000000CE01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.209{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7B013A01295F3C1EE049ADF9DD0F9B,SHA256=B2F1AC755588D41845CEFD60FFCF3D3F2365E7E94EB07C232F3936FF0BC7E9DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:10.209{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C753412D08E0C9696B4C00140FDF7B76,SHA256=6713059A0FC85ABD5C9D3839A9E1CE55F864A2A6CB0AA3671885BBCEA45C5BFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}51721628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.766{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150684860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.672{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E10C19EE9AA4525B7E8B79E7D36C86,SHA256=AAED206404B14DE27F34D35200B9C2ED39416ABED6B2273E4ED1E822303CEF33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.610{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150684819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.594{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.579{3BF36828-BB7A-61F9-950D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.219{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C608C10A87CEAF7A48A18A8B4AA335F,SHA256=F6550B6B74B2E7B72DCBCBCBAAF4FD3E1CD4F702EAECAA4E237D424143256A15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.078{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150684810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.078{3BF36828-BB79-61F9-940D-02000000CF01}33403772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.063{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:10.063{3BF36828-BB79-61F9-940D-02000000CF01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071087409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:11.615{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17A9B70C6FCE9F5EDE343790D7691388,SHA256=2273CA48E18F3F5A114B154D7B90AB5A36581F8C2D367960FB6729DDC7065344,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:11.256{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2198371938B570BEE1323AA69370FFC1,SHA256=EB6211B652C2C654D70F4A69DBB9EFE30DC2E0170445C7FFEE431901748B7F7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:11.625{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE2F4F82BD847F347320411AAA10BE6,SHA256=189F9EE961A1E9D23D4F7B8761E25752FAA4066B47EADA1388C224EE0307F047,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:11.016{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C2E97ACD811B740A22E6CDC799F53F,SHA256=A94C73C596DCAA4C82FEBDB6AE005F79505FA0271840A57023FF0AF3D16DEE6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:12.318{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C3A332436CC8E93D9CBAA5059D0436,SHA256=5FA4191C7A1FB914D21972C7AD2FE7B5AF561F8B63CFE336A1A13D167CEF7586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:12.047{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED589656A827731EB24044A5AE89DF3,SHA256=0ECA574C3E6B16EDCBE48268392BAFC065CE764B3E5CA53004DAA376BAF5237D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:06.831{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54113-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:13.334{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FCA908787465EFCB15A1385AADD400,SHA256=D0E6DF938DD190EDB16775B574DCE2B8E134A27177C1A0DF7B2BD21CBF47CCF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:13.063{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1DED9D167B8864F9AD4BBDB9595451,SHA256=C0147C7BB1B3E7FC69DAAA10BB0EFE1BFAED518F4BC265E7E1FE5927E77D9D3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:14.381{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1411981F69FDE3E470364204775D453,SHA256=73EFCAE0797912053AE6C8E057C82E5F13EDA4ACEF86638321A0747F82AB160A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 22:59:56.805{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59784-false10.0.1.12-8000- 23542300x8000000000000000150684870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A627AFB556951FB3C7513312CF3A10A,SHA256=B9AC40D05C596093280F4B8056070D9F273EBCB425CCD3F8745FCC54B3030133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DA57A87C3A41377134CBE46688FDC3,SHA256=F9A68B006BBDD7DDA32A6841B6F9E425F408250B3614736AF8A7EEC90C67A7AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:15.412{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06D6FD1167966E7BE753DE8B716C079,SHA256=E61D1899F487E1E40674B82D9EB6C13BBC3BA7E7D7AC4DC95E39FE4E7A69C6F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:15.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E664907F7B2E26600A3307A3AFACD708,SHA256=B2C7F5F5ACEE35716A87EA5A26F79F5FEB086C97CF01C678C5A2E00CCE667AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:16.443{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CE4E07E6D64C0623EFD135D55F5DF8,SHA256=940815CBE644DC32158AACA17257676E4E5399654319A867719A6B868C336511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:16.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277B99F4B6133D5A0CF54D575139FD10,SHA256=31964025BF9EC31B0FF92CD1FCC52B1FD1F3C4AA4A8FAB95A49474A69C77C1B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:16.084{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E0791895D43526AC30B324FD791833,SHA256=26649E112FA849A7345378E0925C81B3A86BC086C46D0978AAF5407ACDA6F81B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:17.459{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907184F9B3AEA10799E74602D0E719AE,SHA256=4811ADE62572A4D83022A2148E047BFF7B3F02E874E53A2D7E65DA25C5EE485B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150684925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.641{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.641{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150684923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.641{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150684922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.485{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150684914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150684910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150684908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150684907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150684905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150684904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150684902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150684901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150684900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150684897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150684896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150684895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150684890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150684886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150684881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.469{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.454{3BF36828-BB81-61F9-960D-02000000CF01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150684874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:17.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29343547D1509AF094327DF2520D311,SHA256=1B2921393B1396FD14A86C893323F78306C3DA12B4778DA750E6D777A86D820C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:18.474{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C31ED75616928C63790DA51753C6A6B,SHA256=C80DA33894A57372EFC6D5247263A4534CA6AD00C614672F0E45AE8FAE9EBEAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:18.594{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9715AFF4D06261EB29F8B2379622B0,SHA256=AC575904952BAB5587C18A7F389251C3A22D6F9462884AF75B6C353351FBE0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:18.594{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F243C7D6BC4DD488CAEAD324790155E2,SHA256=A75D270664BBC7EE885CDD65FA2F18D705CB72E0A8AA819E2AFADB04BE662C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:19.688{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15319B684F4806214C9DEB9B88B7F9A,SHA256=3DB20073EC0481CD0813FEA593A2EE34081D85406B743F3443564071026A0CC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:19.490{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A54A11409D91617FA70D5F9C697E589,SHA256=D59D1F53E57309617B3A8FA676D212E296CC5566ACA4674E00DA6B6B2A54DC13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150684932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:02.633{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59785-false10.0.1.12-8000- 23542300x8000000000000000150684931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:20.719{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C58BB4803F3727F0C55272D5D8CA13,SHA256=4B31F1A54A425F2FA2F96704BC2C5D1051BE3D5905CB34A42DF657A2422A5865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.771{B81B27B7-BB84-61F9-5C0D-02000000CE01}38444040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000071087429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:12.752{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54114-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.599{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.585{B81B27B7-BB84-61F9-5C0D-02000000CE01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:20.506{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F111643FCA30028877D1A36B5840ED,SHA256=82EAE5332369BD18D8E8B1FFCD06FD12B22DC414C7D14E93AAD552E49F9D5C00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:20.313{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=63B7DC5AF504CA6C904F20B6802486A1,SHA256=38F3398077904C7AB1D88E404F668753086D6EF1D4F1EE9BE5BAA389E9EA5168,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:20.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B30B6266766BEF79C90F6D703EDC8D,SHA256=779F8F290E15C170BD9F5563624A2CDDD01C6B9D6D92E52FC825EF9A9CBF60F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.959{B81B27B7-BB85-61F9-5E0D-02000000CE01}8681180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.803{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.788{B81B27B7-BB85-61F9-5E0D-02000000CE01}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BA744B72A3F66E1AA4233E9AFF0D4C,SHA256=30C8E59ACA0A455FA5F48F5132D7B25616C2F7AB17726DF2F2D651CB5CC60641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC81433D76BB6BCBA7BF4CB3260E15E9,SHA256=28DC04FE75A9D36BC23FCDC1145AE32F53F34656EFFFCBE6369ECE2B00F75710,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.538{B81B27B7-BB85-61F9-5D0D-02000000CE01}41724920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.521{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEF34B0580CE464622EF7270A3525D4,SHA256=9E37D04D642A9F2EF445D80DDF2153BE70664E1A5AECB6779734610863212962,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150684933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:21.750{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF1321861B4999D187B9FDC131A0A01,SHA256=648A062E5B3508FAA4938C8A1E2BE524C6DDD8D5AE4057C86E7177A285D672D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.287{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:21.272{B81B27B7-BB85-61F9-5D0D-02000000CE01}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.766{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50AC68D7B4555129134C82BAF7089C2,SHA256=F96912B0A63AC3950DC80B976A26279CE7A46792DC56043D8AC895C79791BB8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.912{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.818{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BA744B72A3F66E1AA4233E9AFF0D4C,SHA256=30C8E59ACA0A455FA5F48F5132D7B25616C2F7AB17726DF2F2D651CB5CC60641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.552{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED95A7A25F87471E13B34B3503494376,SHA256=A24B426166F3FE6FA611A9B16D765A6A3B2450F1BEA08157D335EC46F24519C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.490{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.475{B81B27B7-BB86-61F9-5F0D-02000000CE01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A168D2EF603D9DD8E0A936B314D438,SHA256=AE6B07D501D6EA4BD0037EE7C469A9E81215CBA403B0143ACF41FCD9CD1D3DC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}41405964C:\Tools\x64\mimikatz.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Tools\x64\mimikatz.exe+c0612|C:\Tools\x64\mimikatz.exe+c09e9|C:\Tools\x64\mimikatz.exe+c44c3|C:\Tools\x64\mimikatz.exe+85738|C:\Tools\x64\mimikatz.exe+85570|C:\Tools\x64\mimikatz.exe+852a3|C:\Tools\x64\mimikatz.exe+c7435|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000150685004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000150685003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FA,IMPHASH=E0B17C1B749544B11E7164BC8880263EtrueMicrosoft WindowsValid 10341000x8000000000000000150685002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-4B37-61E8-0B00-00000000CF01}632288C:\Windows\system32\lsass.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\dssenh.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Enhanced DSS and Diffie-Hellman Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationdssenh.dllMD5=A5EA01D6D9B688CD493DD29CE71DE37F,SHA256=EEEB71D41EA7C0DD4B59610965BBF2F14FABB25E52CBC1AB410ABAE4E403B160,IMPHASH=B1B3EAD9A1589069DFFAB6D2051D69E1trueMicrosoft WindowsValid 734700x8000000000000000150684999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.203{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150684998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150684997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150684996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150684995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150684994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150684993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150684992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150684991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.172{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437,IMPHASH=FD7877EA3FC7D2EDCA1ADC932A5034BDtrueMicrosoft WindowsValid 734700x8000000000000000150684990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150684989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150684988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000150684987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000150684986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 734700x8000000000000000150684985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\hid.dll10.0.14393.0 (rs1_release.160715-1616)Hid User LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationhid.dllMD5=DDEB02D7BCB0A346600A3160203C2C95,SHA256=77FD468B4C46A75312426E4368389057EFED233844CF1BC8468983EEC160F178,IMPHASH=A3D80A73BEB6EED1400E993AE6A5B1C3trueMicrosoft WindowsValid 734700x8000000000000000150684984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000150684983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150684982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000150684981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000150684980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150684979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150684978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150684977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150684976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150684975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150684974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150684973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\samlib.dll10.0.14393.0 (rs1_release.160715-1616)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=4C413FEDB1B88DA18059890CE0BC95D1,SHA256=FAD279CE82D1616A533D6E5D3A20543B51FDBDDE4C764E09F6A01C8B0E44218A,IMPHASH=BF11630905AADA27934CD5411323FA5BtrueMicrosoft WindowsValid 734700x8000000000000000150684972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150684971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150684970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150684969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150684968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150684967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150684966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x8000000000000000150684965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150684964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150684963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x8000000000000000150684962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150684961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150684960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150684959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000150684958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150684957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150684956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150684955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150684954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150684953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150684952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x8000000000000000150684951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150684950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150684949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150684948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150684947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150684946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150684945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-9F48-61F9-300A-02000000CF01}25045708C:\Windows\system32\conhost.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150684943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150684942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150684941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150684940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exeC:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exeMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456trueOpen Source Developer, Benjamin DelpyValid 10341000x8000000000000000150684939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.157{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150684936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-DC57-61EA-584E-00000000CF01}10401044C:\Windows\system32\csrss.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150684935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.141{3BF36828-9F48-61F9-2F0A-02000000CF01}4924836C:\Windows\system32\cmd.exe{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150684934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:22.155{3BF36828-BB86-61F9-970D-02000000CF01}4140C:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exemimikatz.exe "privilege::debug" "sekurlsa::tickets /export"C:\Tools\x64\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071087465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:23.568{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5AF03235A596DB38AE6811C9A2AEC9,SHA256=8EE764EE611CE37C031B49FB5CE4F859E6CEDAEA16EA912AD8384EFC47E564E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:23.781{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E35FA1D2508A8318D36A06E42647FB,SHA256=F5453BC486E7D29F571DF8CDE95E7BD458DDBA9FECF8B2DDFC170345571B19F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:23.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27254A3F0035F0F5F215BEF8B062BEFC,SHA256=9AEF3143A25DE46FB6DE8B80771F53354C02FAD387FAF941F97CC27BD2440530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:24.797{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4CEBB20387AB1BEF2E2B66C16D5A11,SHA256=2102D0781C8B1ED99541B4897B38B384AB9A3D89CB6F1777496707512ED1E0B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:24.787{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59494457CEAC620A8597B2CE89BBFE4,SHA256=9FA808CA708F8CC0CCDC5DC06D738F9762C0BE67075D636B69C6C4E53E173B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:24.031{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:25.818{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A057E6B76E47F242CF484166A9854D1A,SHA256=2DC2E772C14949E87764F05C6F8DA8EFF3A72CEE66D0222C8CA71CB97F432C6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:25.797{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447774AEF8487123F778447D10E867B1,SHA256=7A4B5FB9A7F2238B60ED37C5417BDC4B2A718FCCD12C6EB8A6A0818ACCEDBEE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:25.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBC7F174192EA428F427F94E4F485C9D,SHA256=E7024849E7F388C9B7C08C3104CC46B189F1FB08289A56FF1595D9C975CE65B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:17.768{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54115-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150685016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:26.828{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73424D34DE64387C9BA0B577F837C24B,SHA256=4420215CFF5E78E9566B785110717D1E8F6DFA33EF752EC2C8C4A5587DE45336,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:07.711{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59786-false10.0.1.12-8000- 23542300x8000000000000000150685017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:27.860{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3492957A21BB6888A301D73441A85464,SHA256=092D0BE89D1A0384652359D58B7D28C7C7C6C4CD4FB3900A62907830D83F4B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:27.943{B81B27B7-4B39-61E8-0D00-00000000CE01}8043948C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1600-00000000CE01}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:27.037{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C290EE72201020FC66AD48D8D989A17,SHA256=1EB338BB95FC24860751E4813FDF70091CE397B0E15EDFF14E49E6F4E62EF88D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:28.860{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995F78BD6313CD518D005EE6390F5D91,SHA256=4ECC175027E1A677AA94999C23A6B98817304416E72BBAC15EB679DDF14F4BE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:28.084{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689A0B5162835FBEDE51723CC81CF40E,SHA256=468FE4DA19FABEC82F0D992E5EEC9A0BD2A9E1B3CC05A7333FEB015F903AAAA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:29.860{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A966E07AC2AFCC7391C1E8980957726,SHA256=BE2BECC2960A8C4FCAD4B2FC035AD831B69D66C140EE40EDE4546E02194FB0DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:29.178{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1157C0EE1F6A7E1669A1C6F44849516B,SHA256=0A175F7098E975FF494653E768FE87EF7B3451DD6437EF77996CB9CD61DC73FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:30.938{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1E8794CF210825F57CB591F6FEBFE5,SHA256=3C77F073E7A7C246FE336396FFEDC95FC01639668099EDEA822E65B6CC1FE9EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:22.909{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54116-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:30.193{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217452E85AE0AEB6F4D6350448DC2FCA,SHA256=670A2E286387A3B95F6AD54788BE341C95C1CB33D503CEDE6043217EC86F671D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:31.209{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D458B41A022917801745DCD7F812384,SHA256=187D2EBBFA1547A7EC3A608E3F772F809FD66E29D46FADB160EEFFDC883E01DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:31.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6313D7E7FB6B706AF5372F4B50C3B3F1,SHA256=85991755F0558C6ECC8253A57AECFE6E6910FAC5133FFCBAE4B92B02714F1DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:31.188{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBB67D4803F5359A0D1C47BB16649EDE,SHA256=2047872672BC6A27B195892CD5FD880D24ACAC892D56B015C8240185493A78E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:32.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6313D7E7FB6B706AF5372F4B50C3B3F1,SHA256=85991755F0558C6ECC8253A57AECFE6E6910FAC5133FFCBAE4B92B02714F1DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:13.664{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59787-false10.0.1.12-8000- 23542300x8000000000000000150685023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:32.032{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2753475E7CDCFDF76E5DB02B36C5ED6,SHA256=12347F5CD5C71D77058C47E042DF0D51A579810BDEDCDAC4F591AC1A2769E761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.224{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CA675C9E78A238D2737A0B5F09BF7F,SHA256=093394A6BCDBCFFDE886E8D790F3062230FAC85735FD7672FCA86528CFBA5318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:33.224{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2B12B23EE9393D0B6E70DE984374F6,SHA256=922263AAB958AA865209E0540050A85B1085B608F870E324A2C6BFCB1AF772B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.821{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59788-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150685027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:14.821{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59788-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150685026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:33.032{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC65F85A47D52C8D448F1EADCAED90F,SHA256=1956F4F9FD9B1C4A31DCADE57255578AC408544ED7FFA0ADB25F31F0C113A2AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:34.240{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E314A298C45EA452B99E37F3EDB131EC,SHA256=2DD704A3424559C72E522ED67F2F9174181EC477A3E0A5EE1277FAF37C301BF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:34.047{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DB639412F56566A579C688DAA5B45B,SHA256=37884B97A5F31A9CE20EE4708F85FAAA5F1B5FA177EBD69386F060C9C83D4BCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:28.752{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54117-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:35.256{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB03B5EF3B64A02D1B340B1081F6FED9,SHA256=EA60D123270E5031D61E6D805166897AB50B35FDC1C8D31B25873115E1E1D4E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:35.063{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF37EAFF19E2A638F2FAA4C6DF75184,SHA256=E8836FE672F9AE876A5E07B7CA57782364EE85BC26A546B1BC926972A8A1B126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:36.287{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446DAD019D115A3E8EBFAEA8F63A890F,SHA256=ABBD9E192EB17D33B225E0DA83D55B9127C771E95F666D56F999E71C139B5FEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.266{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0734C62ED1A71CA88EF75E1AB6557EBA,SHA256=52209BA792D5D99750DCCBFF3A67A61301AAC33CD6DC6CFA2B702C64E9F214F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.063{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F59420627FF9F9637EA1601F686177,SHA256=4D4194B3EFBB8D03285F68AD1289E6C4C5DF8556ECCEF41F76FADC43AAD483C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:37.818{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:37.521{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E98A3DAB192CEF05D28E21AB1407B90,SHA256=3B99EC00CCA66104CF2C55FF4E4AAAD7FA8EE5F945F6D46B63281AF8D3FCFA33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:18.821{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59789-false10.0.1.12-8000- 23542300x8000000000000000150685033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:37.078{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA087ADC04A4C695223FAACBB09DF966,SHA256=92BDF2331000973DB2B6F77EF254F54744F040FD5D09F659356003C71F835794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:38.537{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46627D457A0FE4082B37D5816CADC8A,SHA256=1AF4CC0356ACD2854297FDA5A753D3962976F7CAE59D5A904D615F722D4709D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:38.094{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90378BB6DF7C52F0E05819B569557509,SHA256=32443E8F47B26522A9A9A1DBE1AC5E19216F8C706D7B204A7FB8DF9F2742BD1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:39.553{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A102C11C6C3F74AF45C183D94CF8A1F4,SHA256=9862263F308048BB06CF42FBB69790C1293AAE224553F6AAD9AC467143D60C3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:21.688{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98751716- 354300x8000000000000000150685038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:21.686{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98765492- 23542300x8000000000000000150685037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:39.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6668E0746482CDD115743E00B5E6D00,SHA256=64C1471E1491EDB6D05ACBAD35A5A281758738FF540227975AD958EFC7EA0F2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:39.110{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D63D52FD7B8AE5E39FEDAEE5A0BA071,SHA256=45EA98DA50709153F5362E2EDB4C7DA095B1003E6C4F4C546E5F519DA9483119,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:33.893{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54118-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000071087490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B3A-61E8-1400-00000000CE01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c850:983b:9ce:ffff-62527-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000071087489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B3A-61E8-1400-00000000CE01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local62527-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000071087488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-987.attackrange.local137netbios-ns 354300x800000000000000071087487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:32.794{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 23542300x800000000000000071087486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:40.568{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6529129CEFC40018F2D73AFB95B2C43C,SHA256=310A73AD317CA21ADB230A1EFBADD4CDA3B66D6652AAB07D186023802EC6F3FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:40.125{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED7149D59D6FBD075995B1E9A8597E5,SHA256=759483056A806AB0389136B043A49544976C590DB5FED0FA1579AF9AA61E7B0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:41.584{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240224072B5EF71F7FFAC081DFBC88EB,SHA256=C9A37C118E0F6F50CA20920F64F1105277C9F412BFDDD0A46F51E64F7B20FDF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:41.125{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8596F914B171D05A2A3B1DAE8BC099AF,SHA256=D7FF8F81711E148043F40C9B03ED4DC395DC2A8763F83B834426D282ACC7CB62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.990{B81B27B7-AECD-61F9-A70B-02000000CE01}2203852C:\Windows\system32\csrss.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.974{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.955{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B81B27B7-4B39-61E8-0C00-00000000CE01}736C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000071087493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:42.615{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350DBB75891ADED714134D73039F1111,SHA256=6BF9DB9110F1B289DECEBEAC35E0B467A5BD221AAE3A0D6ACB7E75DE5FD103A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:42.141{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EEA3CBFE642229023E7DE8CDC81D8F,SHA256=624F2C0CF980C90FDEE6A558439B24F591FAFBC9019C748F175838CB3B70134E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:42.111{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EE5607182B4AA6E3DA6AB1B5B209BB8,SHA256=CE002CCFF4CF5F80EA876A16C7A4386868730FE6A42D194DD55F22A59C3F658D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.959{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E31CF765FD57B615DC5E55FAB51CF384,SHA256=8B423BB81DF6B5B9C61B4920709722D9A0DF045383253A7064389A0D93AD2BC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.959{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAF19F7DCFC76D672BBADD6ADE3C0973,SHA256=EC9ED67D90711FDDF29389EFC7414E691E24BD822A6E73050642A5E1126414F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.631{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE56C1B1882AA092AD43C679264DEF3,SHA256=90B6F4E8F96D84A1EB4C82806EB53724CA08FACDC7388864A64AB3E7CB5A7978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:24.680{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59790-false10.0.1.12-8000- 23542300x8000000000000000150685044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:43.157{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3915DF892306EABE890D5CBCE7DCF165,SHA256=27F01FC8E974D016C9136F66FFE557000A1F6AB799667A6EF7817F5FADDD7349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.006{B81B27B7-4B3A-61E8-1600-00000000CE01}11962840C:\Windows\system32\svchost.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:43.006{B81B27B7-4B3A-61E8-1600-00000000CE01}11961244C:\Windows\system32\svchost.exe{B81B27B7-BB9A-61F9-600D-02000000CE01}224C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:44.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36E5EAFF85ADF9208497D192344353B,SHA256=48CB8566726D51949B25F9FBDB3FF5A7ED234FC58535698AD78F418DDF5905D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:44.172{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBC95A4F897EDDFFB81C229627D7070,SHA256=9B9FDE4CADF62770D3035393147E02964713F8FD98BE255D62D1DDA9C8C6D339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:45.646{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AD25AB9321E1C3C891598A5BDEEB63,SHA256=85C56F1BD4879F6EBA11B903A96656FBFA7AD6574851FC5D0EB68CB54924F99F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:45.236{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7B992A5230C09CE7D0B1944619309D,SHA256=875A2359A0F9A30F5DE1E6B7D3C20AC5A16DA2A9EC8FF6D0CD7FA0683722AE7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:46.943{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:46.787{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F37235E591EAF450CF7BFE8047CC57,SHA256=6C0C069A4BC310DCFD123810429F44FC18661C6A2F7D939F02F3B6C7E7CC71FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:46.253{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69995015E0560B9033E69DCB54E5E89A,SHA256=B2C9974C117443878104A86811A9DEB7F8F1B7976EE3CCA4947788F4521290C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:46.178{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:47.818{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1369DCC4027A4E033C76F8F9C8B0C566,SHA256=D606CDC256C400291E626261E95667EA3F3A3E7A5D994C95F24E2E6D756D6D2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:47.256{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3633FA5F8EE0D3515E6B8B58B46AE4,SHA256=1E6C3FE5316124CFECAD5399C0B9B4C06618BA61A588C631137C11483A094641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:47.224{B81B27B7-AED0-61F9-B70B-02000000CE01}3740ATTACKRANGE\REED_SCHMIDTC:\Windows\Explorer.EXEC:\Tools\x64\[0;133115ef]-2-0-40e10000-Administrator@krbtgt-ATTACKRANGE.LOCAL.kirbiMD5=1DEC3E68A35AEC92CB0E0564338555E4,SHA256=E287DA3CC5DE7FEC09BFCDF2B5E1A26BB0B65524A7DC28905CDA6D42B779E4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:39.721{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54119-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:47.006{B81B27B7-AED0-61F9-B10B-02000000CE01}39884684C:\Windows\system32\taskhostw.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:48.850{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3979AE07681E4B700FFA58DB9FA1CFEF,SHA256=6D6F355647688984124C2D0303F096B557A915B90E810D0B1307F65D7E389F35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:48.334{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45519577A60B7FFC2E25C4F27C82DF11,SHA256=B8F5A0E01E2929B0AD31172ED1CB0C672D85C77184159C54413B9CBC818C6789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:40.830{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54120-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000150685051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:48.069{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44005E89A4F1C3F4ED87C703D1A2645A,SHA256=4E567ED3E722FD7C1C7E6B2F51EEB4AF00086A86CE436698051F84AE87DD6980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:48.069{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1702B1D434C9BBEFE4F80F368FF90DE,SHA256=B5D62BF0A8CA83BE3F4468EA82A6B5479A5D0A35C0A609E0F53FB871149C46AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:49.912{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1890B4177F41AB75374A9A1AF2A344D,SHA256=DB46C1453A79BBE5A7FF7FD8131A41AFBD914A12436C40ED100283296F54DC16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.725{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.725{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.725{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150685054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:30.623{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59791-false10.0.1.12-8000- 23542300x8000000000000000150685053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:49.366{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F3BC4DF0E3EDDE9E18D0641CFC9565,SHA256=9302DF9B082E7702F9B119DB9373293CCF04E5133F5E3172F41F03A150D64B4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:50.943{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3848FA3CEA6D0C82E21A602B03CC73,SHA256=7A7B7F745E9E1267715DAAEC10425A457C2AC5C9582B2986C9970F8F1E38C51F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:50.397{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD28CF76A43F91CE172D8C8A4B5C148,SHA256=206678F6003616381347070B10830212B54EB0B53118135B13E67424CFC1638E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.990{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD1C8DEA329B600EE97BC7281ED0E6C,SHA256=38D32CF62A1029C621891DF789EEF3AAF56D9C3528DAEFEBEF52BB5BAB95286F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:51.412{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5A2E204E440D5F5BBB97CA462D0DDD,SHA256=57C8ACFF22AA241D1AD016092FA29EF253FFBEBD03C0CFE59519847670460F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37404000C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37404000C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:51.240{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150685060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:52.428{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F19AE30C333635DA4C3994ABCE0F40,SHA256=28C5C444D0ABD3E8BDB808562E474BBD2AD1BF5D9AB7CC5C4FFDFAA6679EBF5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:44.799{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54121-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150685062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:53.444{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86EF2D496D15C85EEFD748E50D55F5C,SHA256=74A8FFF630BC2751B9CDB265D1E4959C57F6AC3BD1D7E2F0D869B49875ABAFAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:53.021{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE65F6BA548E0972E6EEC4AD7ED34EF,SHA256=DA2C4140FD2A8C97204285262D31889394B09F4711E2BD2CE4FFB4AF07AE048B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:53.084{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.639{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59792-false10.0.1.12-8000- 354300x8000000000000000150685066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:36.639{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59793-false10.0.1.12-8089- 23542300x8000000000000000150685065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:54.475{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434D0FE008DEEEBEF8741F553FD0F43F,SHA256=2D27F1D0A07943D7E5ACA2DAC0CD5B232632DFD6120049F955161F1F2B3E4A2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:54.115{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1C0258459E09D90F2C0D4677930C9B,SHA256=4BA3802BC12C4C942CF93D2005220F2AE323D97AC618243CA84B47702CEB8B08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:54.084{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118E850ABC3F93B5B32699F648C42F0A,SHA256=B4BDD76EF4E42DC06A018DA83CF9B93731660F98D5B3BBA54044C7F8807C9983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:54.084{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44005E89A4F1C3F4ED87C703D1A2645A,SHA256=4E567ED3E722FD7C1C7E6B2F51EEB4AF00086A86CE436698051F84AE87DD6980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:55.506{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D9C07EE38D9DC59E217EBCA8626C23,SHA256=27C25ACB2A1B704F5810E9CE004212CCBBC50F3ACE672DE3A57EFA3B9CB4A710,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:55.631{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=05CA3C28AA10D79361EDC4B48DD896E0,SHA256=C24229647531849D791F50BB6E91319BCF12FA8CFE7614DCF445B529498048DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:55.162{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB54098F035E68EAE31095CB88954C9,SHA256=B3500764015F501D35D8ADE89BCCAEB7C06622C437AACB3A868CAC08AAB26B2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:56.522{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F157AB7046A19C76E0D2271F80CC6613,SHA256=0442597D31F8C20EC1976F906382DF324D1010D384101716012A54D844097BD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:49.893{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54122-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:56.178{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48E2181C815A3AC72F87FD9D719DF46,SHA256=5BD16A805D4B447242E3A51488FBA8DC72C7EDD6D14F026D91A8DB800AA1D9A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:57.537{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95424F8739742317335FEB11C2D860DE,SHA256=A751F89C43E416D31627DD20EC2F71E2441F5AE7E9F6B7C557EC0AD91089CB5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:57.178{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFCA2BC7FC1F7D82D454DDC19D2B3AA,SHA256=9B7BF3979E0FBF392A183A29F1B3C5BFB7F3C34A45D1758AB005DF3BA9C001D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:58.584{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCDC5A3CC716D09316E5323AB3F402A,SHA256=B717163DAF5283FF0EFF7A40B48EA4299D25C58A8221483277937C826D10BE0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:58.193{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A2647E24FCCE6EB66AD5A691F1AE4A,SHA256=EE001F7D04E1ED68A16ED869747F9D4DF39A822E4B49FE602369C8D4D8269C33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:59.600{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BB4E9BD5B148D64BE7B944190B06B3,SHA256=6C45A90C7E6D61AE343A46350ACB693130B3E302A9A4FBC44F264F41AB580E12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:59.334{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C4C8A383A5EC0B2BAF9878565678A6,SHA256=2193D138CA45BEF851EE339D7D3F774DE7DD5F2C8D053B3776AB01A544E983F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:59.334{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83A775B51A6E39BCB9F8C9760734DD2F,SHA256=B31B82BEE8598E993C56D288DB8C6D2D443D5A08A59B90487C4DB59CF9FF8F5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:59.334{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118E850ABC3F93B5B32699F648C42F0A,SHA256=B4BDD76EF4E42DC06A018DA83CF9B93731660F98D5B3BBA54044C7F8807C9983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:00.616{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096155C0F15A363215EC961A3A259A7A,SHA256=295D038D39156194F04155E89979B4E9391103A0ED59F47B17296D534487234D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:00.349{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0642602D78D36E8941E2F406C2B697C9,SHA256=B24CCD407C35B008466CD6DE1B1690A83E4A6E37170E72148ECE2BDC357BD123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:41.811{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59794-false10.0.1.12-8000- 23542300x8000000000000000150685077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:01.631{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85EFDB85EF98B89DCE53686CA38C638,SHA256=4EE7F613301B308E04EAB9DB957F3192D206AF7C0CC20CF27484D6C4AAFDD11E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:01.474{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066393E9554E2A58B20F94FB5FB998F1,SHA256=D26B3E9FA7550824C893A215E1577CAF78246FF495D96CCE5C18E92FB5916672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.803{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150685093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150685085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.787{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.773{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:02.647{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613FB43D7798B26B2C65DD2CDB564334,SHA256=D7D4C212695215F569DAA9B68219D0AB51A0EF2681C8AAC42CD450F8975870CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:02.490{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB246120F492EA52923394BAD34AF56C,SHA256=A6135E203ED9199646E4257E7A2453E4D4706166F4FB0B42C05036715DF6EA97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.787{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83A775B51A6E39BCB9F8C9760734DD2F,SHA256=B31B82BEE8598E993C56D288DB8C6D2D443D5A08A59B90487C4DB59CF9FF8F5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.709{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFA86CE69591339084F7CC2989111D0,SHA256=C765599FBA7F2C1BBA4408A68C9E36138C716AD13AC5BF112168477A2E42C473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-BBAF-61F9-990D-02000000CF01}51724748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150685178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.678{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3616D995A96A499DEFFE39A6834291,SHA256=44C8B331DBCEAF45D642CEFA3BACB929E8D3AD85403D6493F4D100BF2369985C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-B70B-02000000CE01}37404732C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.615{B81B27B7-AED0-61F9-B70B-02000000CE01}37404732C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.599{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.599{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.599{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000071087565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-AE0B-02000000CE01}5072944C:\Windows\System32\RuntimeBroker.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000071087564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-4B3A-61E8-2100-00000000CE01}1076856C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.584{B81B27B7-4B3A-61E8-2100-00000000CE01}1076856C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000071087560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-AED0-61F9-B70B-02000000CE01}37402092C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-AED0-61F9-B70B-02000000CE01}37402092C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.568{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:03.506{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9E71DB23F5776570A75E90AFB52CA8,SHA256=3DFF0DF88051AAC2FC2B4F4FB8C73BDF085DC2FEEF220DA1DF2822055B5CE2A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.506{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.506{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.506{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.491{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150685153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150685141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150685136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.475{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.460{3BF36828-BBAF-61F9-990D-02000000CF01}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150685129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.023{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.023{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:03.023{3BF36828-BBAE-61F9-980D-02000000CF01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000071087540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:00:55.721{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54123-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:04.834{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DB9C1506482C3E567EB7828966983D,SHA256=D3F7D7F91AE92F7F1CB8256162B5BC6BD9852EACA44B258EEFD41EA8047015D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:04.694{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43EE81D3CE13D260BE8C304D606FD6D,SHA256=9A4489D2A52FB20C3B463F604348D8AA74C99AA5766A9701D499E473426EE924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:05.849{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC86E50F21C95A35F3AD60904207547,SHA256=36BCF03380AA74D3BBCC8D0302D5393ACA94ABFBD5F2882264CB1DAB17DF9E5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:05.694{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E573B0867E0EB0EA1CD00237E2073D,SHA256=9B15AA5763BD9DF597058572AAA099779AD70D29A6D0BBC5ED968B549427045B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:05.194{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB7F5F671E74FEBCD284D2250FEDD852,SHA256=0E2CD3085D8CBFD21C1402F88B3E34B1BFE7B65A758E8F2BB466FED47759F973,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:06.881{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CF8BC3EF70062CE7CB0EDD4C59250B,SHA256=2C0841B3844DE79C9EDA4740B231ADD744506A7798E0A399AD60A537DF5CAD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:06.725{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7FD43F5980327045B9E07636F114B4,SHA256=95C55BAF0221184A5D3FB3E62A5AACEDDA66FA898EDF5170ECA4D84201DF6DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:47.733{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59795-false10.0.1.12-8000- 23542300x800000000000000071087577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:07.883{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E7552838B70DDA386A6F52E23F4EC9,SHA256=57BB1D7E097B774F1C74CED2800F8CE4989B4BF02525ED19B66E69883204E23C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:07.756{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CF6499920409D5B02E415851516DC5,SHA256=A6700C55713A48FEEC93785E3A38017088258A5A36CC630A9F996C1B15AD89AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.850{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2744EB535086A93131FEC63168729632,SHA256=B027E0A58E408640168F9E536B8248B2788D94C85CB9FFDE7A4F4BDFCEA29DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.739{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.739{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.739{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.739{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.739{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.739{B81B27B7-AED0-61F9-AF0B-02000000CE01}21361832C:\Windows\system32\sihost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.692{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.692{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.692{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.692{B81B27B7-4B3A-61E8-2100-00000000CE01}1076856C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.692{B81B27B7-4B3A-61E8-2100-00000000CE01}1076856C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 354300x800000000000000071087591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:01.692{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54124-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.426{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.426{B81B27B7-AED0-61F9-B70B-02000000CE01}37403356C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000071087588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.426{B81B27B7-AED0-61F9-B70B-02000000CE01}3740528C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.426{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.426{B81B27B7-AED0-61F9-B70B-02000000CE01}3740528C:\Windows\Explorer.EXE{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.426{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.411{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.411{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.411{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.411{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.411{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.411{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:08.411{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.709{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.709{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.709{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150685241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.537{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150685232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150685210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150685207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150685206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150685205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150685204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150685201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150685196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.522{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:08.507{3BF36828-BBB4-61F9-9A0D-02000000CF01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.991{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494814A6A02140E6327AB09738818162,SHA256=910176F9DF02DCE4838DFF8E70F5BA1A7CFBE1AEC8CCFFE2984B98D01795D13C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.928{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.912{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150685312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150685304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.897{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.882{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.914{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBB5-61F9-620D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.914{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-BBB5-61F9-620D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.914{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBB5-61F9-620D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.900{B81B27B7-BBB5-61F9-620D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BCD786756740523DE7C2DCEF16CC35,SHA256=852617B36798C54A83D44E5019967B1455573A4CE43C63198DE990EE1592D6E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.227{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBB5-61F9-610D-02000000CE01}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.227{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.227{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.227{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.227{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.227{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BBB5-61F9-610D-02000000CE01}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.227{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBB5-61F9-610D-02000000CE01}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:09.212{B81B27B7-BBB5-61F9-610D-02000000CE01}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.741{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0A97EC8AE30101E8737302D723D79A,SHA256=799B5576557DF439CC7630A58842D0FE370D7AFAD6A194AAF4F9270D885358B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.381{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150685295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.381{3BF36828-BBB5-61F9-9B0D-02000000CF01}50684672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.381{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.381{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150685292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.241{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.241{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.241{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.225{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.225{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.225{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.225{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.225{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.225{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.225{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150685252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.209{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:09.195{3BF36828-BBB5-61F9-9B0D-02000000CF01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.508{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBB6-61F9-630D-02000000CE01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.508{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.508{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.508{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.508{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.508{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BBB6-61F9-630D-02000000CE01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.508{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBB6-61F9-630D-02000000CE01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.494{B81B27B7-BBB6-61F9-630D-02000000CE01}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.258{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2492509BB7BA2A1DD991C51A98ABAAC0,SHA256=39AE801B401922F1542E4AAB202AF276E6279655EB1F2A879ED05612EFEDE7DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.897{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8499710D003841D42CDBCD3E5F22C6,SHA256=C8E61AB20A83F773F98018CF5B8C15B3C75A63BFEC7D715C1BB51AE9953CD49F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.787{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150685401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.787{3BF36828-BBB6-61F9-9D0D-02000000CF01}57205804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.787{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.787{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150685398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.616{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F40BA6A1E4C5DA1D494D05A936F692D,SHA256=1E42C6637E9FCDDC1CD948D74F2B7158E242C0A2217618EBF4E8020036D8C8F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.616{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.616{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.616{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.600{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150685357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.584{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.570{3BF36828-BBB6-61F9-9D0D-02000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150685350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.116{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150685349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.116{3BF36828-BBB5-61F9-9C0D-02000000CF01}45805456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.116{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.116{3BF36828-BBB5-61F9-9C0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071087622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.227{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A4C5253A3FEFE41FE7BC91A9E27DC6D,SHA256=905CEAE00F3936ECC01D9F0744520D7AEBC2EF473D6A6F5B039D19336CBCC3A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.227{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E31CF765FD57B615DC5E55FAB51CF384,SHA256=8B423BB81DF6B5B9C61B4920709722D9A0DF045383253A7064389A0D93AD2BC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:10.164{B81B27B7-BBB5-61F9-620D-02000000CE01}44521800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:11.508{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A4C5253A3FEFE41FE7BC91A9E27DC6D,SHA256=905CEAE00F3936ECC01D9F0744520D7AEBC2EF473D6A6F5B039D19336CBCC3A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:11.274{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB999F4DCE95867AB96B1C4208E6B40B,SHA256=8D17D8C64DCE8F4F847CD7902D45F9035EF63DC59DAC4F504620BDE3655EDFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:11.069{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6769059B21596AA7A5C8D6993043D0DF,SHA256=F4D34AFF90C452E5A2795D0A3E75F8DD73B8F5EC9B0EE2F1C650CA76BAA152BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:12.274{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAA6130479ACE26C41550C6F0EEF4AE,SHA256=DE7AB97C92A65B412291CEB74F8EFB6FED68478D8BD534ED25CDB3B99EBB23F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:53.732{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59796-false10.0.1.12-8000- 23542300x8000000000000000150685405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:12.131{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6C3DFDC0451D352F8FC258C0509982,SHA256=A187B7E21B68E3A24A2AED6BEA9D98430B954240940470378F45CA0DC8101815,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.883{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.883{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.883{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.883{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.883{B81B27B7-4B39-61E8-0C00-00000000CE01}7362736C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.883{B81B27B7-AED0-61F9-AF0B-02000000CE01}21364960C:\Windows\system32\sihost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000071087639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:06.879{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54125-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.711{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.711{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000071087636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.711{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000071087635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:13.305{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E7967020EB15D0A6D377A47AE8023,SHA256=C12FA6301B6FCF04F81AE0564178BD2BB6BC0FD48BDFC96D2F004A372E66A34F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:13.147{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A996D7DF6B35EF00340DDDD67DA30A,SHA256=B6D63B418AB158BB253D9A0BAAE0A446CB3F9D15A5F98DE571332F2A1ABE9ABB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:14.305{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F57EBEE6BB3C0C53CB77B5491A5AF5F,SHA256=A643757C017B0DFE689B10C79D8ED7B40E61E0A5149186072E8D6C09673CE9CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:14.163{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D432BB505E02A38E75F97BCCB578C93C,SHA256=BDF96CFEF5192DC22E05BF5C012B23789A8CE1E083F0872504806F72FAE1305A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:15.430{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89EEB3C80A8C36708A0BAB576F77D9F,SHA256=3AFBC196F6EEADC0C2E8D409906F240FA9399D58522D261135566B338A55DB5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:15.194{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFCA18F2EF536FE1E426289BC34BFB2,SHA256=F4AED1B62DD13BA0AAFEDCA68187AD22978F1F0C2DC4EA10391732576E46A2AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:16.430{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF42A11205DD55377503E951D9BBBC21,SHA256=67D7B03A64237FC2FAA879CB93CDCEF9479A57DFB524ED8E3B62AF4BC4FD0F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:00:58.780{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59797-false10.0.1.12-8000- 23542300x8000000000000000150685412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:16.209{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A7505ACC65710768D6FFD0F05C218F4,SHA256=EE077AF312BF68AD58F23310E0D1FA7277370E087BCE4A54F79FD0EEC52C9E59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:16.209{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E030F9E8495F91B6692655509D971F82,SHA256=30271F9EF92AAF0474E277A647F8C4E464D7EBF3F730A213B036D934083862D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:16.209{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DBE2DB965CCECB31BD0AF0E3D4447A,SHA256=90C1265A8F97313BF2EC870E5443EE79D1FEC3D628A89B6B28B5467266BF371F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:16.070{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:16.070{B81B27B7-AED0-61F9-B70B-02000000CE01}37404388C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:16.055{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:16.055{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:16.055{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:16.055{B81B27B7-AED0-61F9-B70B-02000000CE01}37402724C:\Windows\Explorer.EXE{B81B27B7-BB14-61F9-4F0D-02000000CE01}5020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:17.651{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9213B193086E5A0CE7025D506F585925,SHA256=4969669FAD912A4A06AEDB8FCDB44238FC690DC49B9CD3CD8EE39215948E05D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.631{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.616{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.616{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150685462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.412{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.412{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.412{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.412{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.412{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.412{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.412{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150685446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150685430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150685426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150685421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-4B39-61E8-0C00-00000000CF01}8402592C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.397{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.383{3BF36828-BBBD-61F9-9E0D-02000000CF01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:17.287{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3927F153E0A93587D5596A95D411FAF,SHA256=97F7B5850E66E850FFB6563831AA876F35E9D90C317DC18487906909CF76C11B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:11.910{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54126-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:18.680{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D6F8FD0F2BF1E286BCF082B0A2C9A8,SHA256=FA40A0BC418B8E396941769A20FECF2F19496C0DBC0B378474A033073321A88C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:18.522{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78133C0F1D757DB26DE6086D8693BDE6,SHA256=E94163B381545BACF5D70DAFCE6F0E71612FD661692F820AE4038CCB3A8D56A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:18.522{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A7505ACC65710768D6FFD0F05C218F4,SHA256=EE077AF312BF68AD58F23310E0D1FA7277370E087BCE4A54F79FD0EEC52C9E59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:19.696{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E828FE8ABE7B7912A345FA41BFC99C7,SHA256=72DA1F85FDC4CD7CF2E577258AC502381E920A04DD095680938DD12198EEF676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:19.537{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA900C07743A2B4C54AFE9D115C6C933,SHA256=286CFFC12B6BF4BCFDB2AFA98B8194270EBB54C20428A0B37D64F08FDCB4C60A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000071087687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.930{B81B27B7-BBC0-61F9-650D-02000000CE01}3076C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000071087686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.914{B81B27B7-BB14-61F9-4F0D-02000000CE01}50205068C:\Windows\system32\conhost.exe{B81B27B7-BBC0-61F9-650D-02000000CE01}3076C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.914{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.914{B81B27B7-AECD-61F9-A70B-02000000CE01}2204396C:\Windows\system32\csrss.exe{B81B27B7-BBC0-61F9-650D-02000000CE01}3076C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.914{B81B27B7-BB14-61F9-4E0D-02000000CE01}24002204C:\Windows\system32\cmd.exe{B81B27B7-BBC0-61F9-650D-02000000CE01}3076C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.923{B81B27B7-BBC0-61F9-650D-02000000CE01}3076C:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exemimikatz.exe "kerberos:ptt [0;133115ef]-2-0-40e10000-Administrator@krbtgt-ATTACKRANGE.LOCAL.kirbi"C:\Tools\x64\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x800000000000000071087678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.821{B81B27B7-BBC0-61F9-640D-02000000CE01}42201820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.758{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494BF5C9F1853505B54ACDBEDCC94615,SHA256=A220BB9230CBC869AB6ED837A6BAD30A4A92089C9683A0A400264A36F83BB6AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:20.569{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5F0388DC17321DEB1951E43872A4DD,SHA256=C04081F68851427AF9391F608BFEA6CC69575FE684065D4ABE3D3C35074C80F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000071087676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000071087675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x441f8f67) 13241300x800000000000000071087674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817b7-0x3e768fc4) 13241300x800000000000000071087673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817bf-0xa03af7c4) 13241300x800000000000000071087672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817c8-0x01ff5fc4) 13241300x800000000000000071087671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000071087670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x441f8f67) 13241300x800000000000000071087669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817b7-0x3e768fc4) 13241300x800000000000000071087668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817bf-0xa03af7c4) 13241300x800000000000000071087667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 23:01:20.633{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817c8-0x01ff5fc4) 10341000x800000000000000071087666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.602{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBC0-61F9-640D-02000000CE01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.602{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.602{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.602{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.602{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.602{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BBC0-61F9-640D-02000000CE01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.602{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBC0-61F9-640D-02000000CE01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:20.587{B81B27B7-BBC0-61F9-640D-02000000CE01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:20.319{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9F51C5610247162084E2C32B3C08CDF8,SHA256=ED842B62AE6EAD683D8629639F6D2A7952933CFB9373445158F140D5B3B04A6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:21.584{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A369D6F4BB0653020CABD2C55F85FCDE,SHA256=5B5E7CF5624A88DCE620CBE6A7BF86AF6ABE517B09F7F519D1E18A91104377DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.617{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88FCB4D9BB93EA321E5C9205131350AB,SHA256=429CD7BB57EE35DBBCD307FC0120A3826D088534A60FFFC2EBAFD6F415E5CF18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.617{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2AB00A8EF8E18D46834B7401C912D2B,SHA256=620496138E849F6115A3A9008ACC1E4E7528986DA417FAD6503943433F0CEA74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.508{B81B27B7-BBC1-61F9-660D-02000000CE01}1316852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.289{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBC1-61F9-660D-02000000CE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.289{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.289{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.289{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.289{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.289{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BBC1-61F9-660D-02000000CE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.289{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBC1-61F9-660D-02000000CE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.274{B81B27B7-BBC1-61F9-660D-02000000CE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.008{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BBC0-61F9-650D-02000000CE01}3076C:\Tools\x64\mimikatz.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.008{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BBC0-61F9-650D-02000000CE01}3076C:\Tools\x64\mimikatz.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150685473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:22.616{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BF8EF3655E2A3CCEBA22DF396113CB,SHA256=1D97360A28966C5F8FF922A39BA4D694F7271F77B8C982DB5A35A71D7B047458,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.977{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88FCB4D9BB93EA321E5C9205131350AB,SHA256=429CD7BB57EE35DBBCD307FC0120A3826D088534A60FFFC2EBAFD6F415E5CF18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.867{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBC2-61F9-680D-02000000CE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.867{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.867{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.867{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.867{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.867{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BBC2-61F9-680D-02000000CE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.867{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBC2-61F9-680D-02000000CE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.853{B81B27B7-BBC2-61F9-680D-02000000CE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.180{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBC1-61F9-670D-02000000CE01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.180{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.180{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.180{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.180{B81B27B7-4B39-61E8-0C00-00000000CE01}7362972C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.180{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BBC1-61F9-670D-02000000CE01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.180{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBC1-61F9-670D-02000000CE01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:21.962{B81B27B7-BBC1-61F9-670D-02000000CE01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.008{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF367EFABD27DFABF603914E516E85A,SHA256=2F5A970B3908B4360C9542B4F1B0E04E48D1C788DBB612FB207D12380EC70817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:22.256{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F14549B6C9A9545A17EAADAB78405B4C,SHA256=1F7A23F65B1A6FADD9B63235DDBFE5C53CB52EEE47348AAE2FFA5B448E9C49BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:04.654{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59798-false10.0.1.12-8000- 23542300x8000000000000000150685474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:23.631{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1405AD92E547875590C5DE1B97ADEA05,SHA256=F344FE086D593609B4FA56BCD39C2D8CA594E3F889E8604A02776E0B5A699648,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:23.055{B81B27B7-BBC2-61F9-680D-02000000CE01}30562628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:23.024{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA3E4CFD2F7C1FE3E2FA7BDAE7A8B91,SHA256=A707819F894B8DFEE79F9A44329740C91D9CC0EACD90D2A995CB0E865FA054B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:24.647{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF36BAE828CBBD4E2DA9BD36A7D7416,SHA256=B43F55EA3185AE49DC6D9B15DF93E04D8FB94D479F00B16546F64CF72E0B7B93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:17.770{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54127-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:24.102{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D297C7E271805FDD36FD9EBC5904922B,SHA256=2DEDA5150548C69CEE684FB0D1F516FD7F9CAFA891D48BFCD365297B7C998FE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:24.039{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735E57D426868ED2F5C6C153D743D3C8,SHA256=4AF0994518D8E16D4B047E6884F3759CF6482F2215C6F72024F3FE7459B15E74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:25.694{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C6062481CCDCD44A0336AF0510B0AB,SHA256=B187634AA0AA3300DCB1098E6EFF10B0B6B6B8D2E0C0B72CCB834B8CE84A8880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:25.117{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E30F4A01DAE56FC850203127137DE4D,SHA256=4FDBB3B6DEEAA71ED330AA5451BDBB209BB6161EE968B0F771E82DC40791D57D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:26.709{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EC78652B0590ADD0B8B3DFE61A905C,SHA256=2E8B4D604EE062E128718AD22FE7BCC858D0306603FC8BFDD5DC35E45E7A4FE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:26.117{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C7A4C0E361E5A27992DD30ADFE45E2,SHA256=43AB28D5F9F32D607A7F69BA96C8B2FE70C9464C611D63A9CF41E77C9A56B333,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:27.756{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3FF916EF313DD4010276AB50D2D4A6,SHA256=CC9F4E35437FCA4992509B96B2885B161964681E1BC0DCFDC49262837F4E143C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:27.149{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B4EA5E96849E29B01C9B09C4790615,SHA256=8F1E9E67B9D6CEDD9E3785BAE18ADFB5150B0D2F1EEC631A7EB17D3326AA27AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:27.055{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA26E78A20D5F9866485A4BDB6B8B84F,SHA256=63B60AFBCCA1136F32DD26CA866A3BEECCF9BFA0684EC5D79B8A37292BDF41E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:10.623{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59799-false10.0.1.12-8000- 23542300x8000000000000000150685482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:28.819{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A6C5903A7F4D7EAAAB3C971B8159A7,SHA256=07D5CAF558239A037E6BF8AF7F80A99AFE8979019AA13148BC0191BD00021DE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:28.211{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE41453A29958C396AB8DC70053A91C,SHA256=6D81A48CEF69E4E2DD3B8E27B1F615C2C049B2F578EE825BBBEA53252D62BD72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:28.147{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE39C335D8C880D6B7BC847AA29C7EE,SHA256=06E0CBFCC18241845038D9D1136B180A58B13274E2E3A5FB6255C37499D1A5F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:28.147{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F1C86565D9D258E6F1B3C6F7067DF6,SHA256=79297328CFB5AC90BA2F1EDE06B4F48C480B6BBABBDA5A13FA2EC99D9FF021E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:29.850{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF0F8A9D1100EC2BEEF399B75EACADD,SHA256=37181C4B6C53C0561533DE4DC926AF2677ED907FA32A9C82052B4D960CDDA61D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:29.258{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9673FAC859D9CAABA3FDC04F98A8BD3,SHA256=2EEB0523B7E963F7FF31E5C30510E4A2BD5EE559373DA6FF26219B8D26EA20DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:30.881{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729F3FB0D2D391BC9FD0BFE8BCBFBD41,SHA256=1FA7BC38D549B1487E5A0544D53AF6B268EAA8CE8DDE226DAC958C57C988FF96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:30.305{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52032F2E589E644E104A62C5B3C7E6BD,SHA256=20F36B41E21C49531C2230620E8EFA091E01A4CA8BDF27A66FC3B9F4F64355B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150685494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000150685493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x441f919a) 13241300x8000000000000000150685492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817b7-0x433bc377) 13241300x8000000000000000150685491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817bf-0xa5002b77) 13241300x8000000000000000150685490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817c8-0x06c49377) 13241300x8000000000000000150685489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000150685488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x441f919a) 13241300x8000000000000000150685487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817b7-0x433bc377) 13241300x8000000000000000150685486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817bf-0xa5002b77) 13241300x8000000000000000150685485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:01:30.288{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817c8-0x06c49377) 354300x800000000000000071087730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:22.895{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54128-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150685496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:31.913{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505211C598C0CF0B65F4F3115DEB021D,SHA256=457AB8907353AC085D4C6E9BCD51F98E9524DE1EF71733D4935BAB7D417578D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:31.508{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC8F1163C530B18342013C31E791498,SHA256=C443FE93E5337EA2563BF3F2A38A27CF0FE05DDAF55E94A68F69E3031DE91BE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:32.928{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090D96319D81F3FD280F10EC5BC326E0,SHA256=3D1B2E37872B505FF7EB6DE8A63C883412C7698F5ACF1C781937F78338042D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:32.696{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789931E94D3EA856D8F11CBB3BDA7DB6,SHA256=80DDC0E42632A43E0C6E4AF12503058CAF9D87478797546427A7BFECDF0646EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:32.475{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE39C335D8C880D6B7BC847AA29C7EE,SHA256=06E0CBFCC18241845038D9D1136B180A58B13274E2E3A5FB6255C37499D1A5F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:33.944{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FC6899158FAF657209200CD42A1313,SHA256=11D12957750EF92A93A0F522D55ECA62271C8BE62662782B072CFC666514757D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:33.821{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7718FBDA6F8DC5B641E81DC8F6D208CC,SHA256=8DCFA3F20DF16DFB4B59B93139AFF933088403ED66DC0714F049FA75229C1440,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:14.827{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150685499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:14.827{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000071087735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:34.961{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0754E926763AB4F411C9F155FFAA19,SHA256=0B198315DF3F6628B1BA0C7627738E3218C43994ACB109E9DB1DD6E5B184E987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:34.975{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DFBD4A0A597D61BE39C2E63D4F7D7C,SHA256=415C413EB3E77E79062EEAF4C80E2E1CAD8F76E695A6EF2E78812164A2B4E5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:16.639{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59801-false10.0.1.12-8000- 23542300x8000000000000000150685502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:34.100{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47FC5B0FCE2E63223448552A3B347434,SHA256=696C8C2B16136A116DA1D7ED13ADD631E946F14AA940E185A129C25CEC309691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:35.991{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7985DC41A782B59E1DEB4FCB33C0CCF5,SHA256=E05B6C6B8E5B95D066745A5538EDD7E5A7B09934547949A3F0AAA5ADF40A3D4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:36.196{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2370EC9A54A025A688DA41FD60A595B7,SHA256=1C8C23270D9B30E315DC3D2FEE99973327B627F50323F22CCEC05EEDD180E8FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:27.926{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54129-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:37.258{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FE4E96FD00AF261D82BE687FAE6D8D,SHA256=549B8541482DAEB07BA94653669FA54D392842C26065EE375AD4FDDAFFE13584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:37.584{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AFD77FBEC149101AAC8589765C1CFB2,SHA256=ECFFF40D5C46920F4F102252271E3FD7E4FAA9BFCEC2581ED078FF425A2F2EB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:37.006{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CD1061BAD5808368238E446D46E416,SHA256=709A502F74794779518E9159C029E8208E212987BAAA44FF21C2478903897C40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:38.289{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2CF247488F5CAD52725C7C5A29ACBB,SHA256=B1D7FC329BC7E08B6E6BF29B74E71ECD7652775BC791E5AF4592B65872B0FC75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:38.022{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8A20553BBAD47589E354526210C880,SHA256=A0850C9BBB710CE2FFA1F37CF9BFA9D141383A5F23A83193AA4BD57566AD12FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:39.305{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E1F9612B85DBB0959671C904377A9F,SHA256=0B5275436E53AD849F8DE9569D63DC3DAA039BC0A9931A89619AC6DF51FC65A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:39.178{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B6B1184D95A321F46792D37B7BB37B,SHA256=BD31932A937F2CBA2F62CD7458FF95B56B04E9605AEF7CA2CE97803D98E0A2CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:19.924{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-128.attackrange.local138netbios-dgm 354300x8000000000000000150685510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:19.923{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000150685509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:39.053{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26D26DEF5CF03AEB4C99D099A17E46A,SHA256=A3A5D49CF4A66BA2B02161E9C110C60A80BAE9DE76A5CE786750D860DFE3CF5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:40.321{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D226C1B8E9A5292AE9626339380AEB,SHA256=6F2ED22908B20BEA7CCD70F970598E5CF8A9B9BD2327BA716C46EA8611AAFA4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:21.717{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59802-false10.0.1.12-8000- 23542300x8000000000000000150685513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:40.069{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04993F2B0A988662B1015737F752BBC3,SHA256=674BDD4A986EAE38B68277328942A53B23DAF967C0789E3EE7D89F6FBF9311CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:41.336{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610EEFF6754B481446C0A7EB000FACA2,SHA256=9FC30FDDAE4680D93C5CB36A0BC98B10BF2DDA337D4F3C634A4DD1834706AB53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:41.084{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8ECDD7F24211C655F06AA005EAFF4C5,SHA256=3DA216AA807708C3D8552A37C1BF3072A0995AB74E54AE25561812955CEABA14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:33.723{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54130-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:42.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC70EFC628260567FD0E32A720058BF,SHA256=B96FD7DC5B3BD4FB5B89FC89B756691457D4EBF6C6F00A89B3FD54DC0CFF0B06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:42.100{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF32ACC0D6E97A4F649D2238CB606ED,SHA256=8D486F2B167DB56D0FA45D4D61A59808EE734E3598E6CCC69586B5C5BCD3F352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:43.367{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2820811997099AA6CE6E8F9A2776AD,SHA256=D1F344E29EDCB88BFCC4C7BFF292EA760CD1994C4C5098CB6A882BC7CE5FE845,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:43.116{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10DD58BC7FE8C13DD41C0737821B7BF,SHA256=C723E09D59E678C617710ED9740C1E2F0C30221A8E381CB471011162C82F4501,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:44.368{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05E36D93DFC3C9A7DDD52C6BC75CAF2,SHA256=D897020D29EE6E15396D0285DAFC88D54FA16521FE2E84D732E6AD3BE540B839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:44.147{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C9F7C9F80CF09D01CE85BCD285600C,SHA256=BACDFFE70A8F63A87D1A4620DE7CE1743751465D8E7338A6316BCE7ABEDE7A7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:38.754{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54131-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:45.383{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C089718B467F580F3C9D9B0D9928B3C5,SHA256=6F55544776F90E701977AA0D65C9544448682E480A3A5511AA8E24917DC498EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.194{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4F51EFDCA84B51E61ECF427E6459B2A,SHA256=49EECB550AB7ADE667D7B20782E74542043795863F36E943EC9644201E4AE97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.194{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCDB8F5B01D0F0B4FE6603A6D2B2B108,SHA256=92158D5D5B2EE9125C493AFD1FE56576B6203BCFBB9892A61C3352FA38DD21C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.178{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262F7D7BBBBDA8F77025805F8D3AFA7E,SHA256=1829C8AD15AAEDC04F636217DFDB5A550073806016DA5BC4FE8C6C31130418C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:46.399{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9FB1913693E41C4315532B9FDC5887,SHA256=BE27AB17B7ECF2BA3A50D2F0AD2913B2C2D56B29DAFF456E7AEDB63DE8578673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:27.685{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59803-false10.0.1.12-8000- 23542300x8000000000000000150685522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:46.196{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12E462DE76A1B016C5E5F83830F2EA3,SHA256=32F5A3382ADC4F3EC674AA6B837FFB0D120601D1E9BA4BCF845F23CDA27800A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:46.289{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=219F4D40155A4140C9447A91A52478E2,SHA256=BF1E428CB06D92DAE3D0091FD53F8A95A8B1D4500D759FE24E3EBD4E5D5317B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:46.289{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=37714F0233BDD771763AE614B107C3A3,SHA256=08245BE1A12C75DF6EA0560A4EF492902A5AAA7FAF463B1D5F9F49B838A70059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:46.289{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=1FA5FAB861905BDB20E6D60846C22ED3,SHA256=CC59356543F67B6C0A36A79FAFE2007E4ED0932C056F539846A25AA88F8DC551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:46.196{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:40.848{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54132-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071087754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:47.414{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC54EDBDD4704EC9AF1583134C232CF,SHA256=009EBB59A4CF717E950846958CF8962CF334BE618206FFB1D3C017A09E6FCDA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:47.272{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955ABB6544C85EFD2E803189F363D3E5,SHA256=7978CCC10129E0788677730F7CFEC20818A13DA01B3E29610E8E0254E46C100A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:48.414{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED8AE54EDC4505E4C667F5DCDF5FAB5,SHA256=A917C4428A503B8AD06D6D88C879CC96CAA7E8C18CADD90F0593A5EAE72A9F74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:48.292{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499BDB06BBBB302A5DB805C0E5B5094A,SHA256=577B4E641D1010D02083A6C135BCB6D1EDA7C540E84A21F6A5D97080CFE874C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:49.430{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC06B36450B3368277925B269B2DF108,SHA256=84FF0D99FCED5B095EFDB3D2772AEE07BEB560BD25A1C22C8AD3BE42625A34AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:49.308{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DC8F93C80A8AF03AAE965B8FDF1F41,SHA256=892FD75D41F63EFD4C06C9C66FF5D1C5D7B31ADA74263722D1FCE7812C8DECDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.649{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A24ECEF7F52ACCC29F28CD617FEBE7A,SHA256=BF269F2D9902EECF245E46CF41B82C55740B97135E49473FAD1DF37DD5212650,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:50.323{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB17AAF89AD7B0743BDC318ED46936D6,SHA256=884E83FD52BBD49E31089191411BE62E4DF9A2190E94712D0B9974021CD52386,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:43.879{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54133-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.071{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BBDE-61F9-690D-02000000CE01}4496C:\Tools\x64\mimikatz.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.071{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-BBDE-61F9-690D-02000000CE01}4496C:\Tools\x64\mimikatz.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000071087766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-BBDE-61F9-690D-02000000CE01}4496C:\Tools\x64\mimikatz.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000071087765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-BB14-61F9-4F0D-02000000CE01}50205068C:\Windows\system32\conhost.exe{B81B27B7-BBDE-61F9-690D-02000000CE01}4496C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-4B39-61E8-0C00-00000000CE01}7364796C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-AECD-61F9-A70B-02000000CE01}2204396C:\Windows\system32\csrss.exe{B81B27B7-BBDE-61F9-690D-02000000CE01}4496C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.008{B81B27B7-BB14-61F9-4E0D-02000000CE01}24002204C:\Windows\system32\cmd.exe{B81B27B7-BBDE-61F9-690D-02000000CE01}4496C:\Tools\x64\mimikatz.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:50.011{B81B27B7-BBDE-61F9-690D-02000000CE01}4496C:\Tools\x64\mimikatz.exe2.2.0.0mimikatz for Windowsmimikatzgentilkiwi (Benjamin DELPY)mimikatz.exemimikatz.exe "kerberos::ptt [0;133115ef]-2-0-40e10000-Administrator@krbtgt-ATTACKRANGE.LOCAL.kirbi"C:\Tools\x64\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=BB8BDB3E8C92E97E2F63626BC3B254C4,SHA256=912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9,IMPHASH=9528A0E91E28FBB88AD433FEABCA2456{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000150685528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:50.276{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27972707CA67596C9424BF7C08A45BFA,SHA256=868650F27145A4F67A975521800731D30B41B77E88E11582C548FF3B6B941A37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:50.276{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4F51EFDCA84B51E61ECF427E6459B2A,SHA256=49EECB550AB7ADE667D7B20782E74542043795863F36E943EC9644201E4AE97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:51.711{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FE7B76BEA76F20947E4DC10CF83266,SHA256=11E2DC8B68EB83B02BDA4EB57FE5346BECB5BA8ABF99F1C09DBAF96FA95FCF38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:32.815{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59804-false10.0.1.12-8000- 23542300x8000000000000000150685530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:51.339{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1CB28C218450B31BE62DBE158C1748,SHA256=C804977EE75EB2113BDE574A62C2D134602CA2D156604613D8BBB06BB507FE8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:51.008{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4532291270F92DEAA68C85EA7279769,SHA256=7B463AB9C1D636013FDB9C835DA49A0F1E70F5143BB64DC64E8F30E27FCA8DB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:51.008{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED98E91473DAF7268F3F3A119E2F382,SHA256=3D7C315A7CBDB325281C3AB846FCAD3C95414FFB98A7C8E7F591BDC2E3043485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:52.789{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4FF386C78671249EBFC83439BB15A1,SHA256=782822E5CA8A27531B7C8D154FDD7330A329C3C1F44D389CF1D9FC368BF093E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:52.354{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A856940502C1EBEBB83A25069D567DB0,SHA256=5F9F5C4702DDBB119EBBFFFE8261BD361FB3F1F2F377EBAF7D2F225F0B9CFC6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:53.805{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE1048CC4735708FBA7D49710B09640,SHA256=404C1076742C7E1D994C29585E7E56FF4973855A8A8D72D88B02E2BA683EC806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:53.370{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A10CA24EE40BB051EE4753DDBBEAE32,SHA256=9F7C4455FE18E64BC15F0E225D225C2E017840D0F28B2E3619F430F8A263FF7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:53.336{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4532291270F92DEAA68C85EA7279769,SHA256=7B463AB9C1D636013FDB9C835DA49A0F1E70F5143BB64DC64E8F30E27FCA8DB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:53.104{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:54.821{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D68CBC731885B4973CE8EAA4DCDA3A,SHA256=DBA0A1847BC2D44BFA39715059743F5BEFECA4181FB6FDBF79EE6860123CD188,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:36.658{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59805-false10.0.1.12-8089- 23542300x8000000000000000150685536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:54.386{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66129E5DCF7026AD805BD93D1B289D86,SHA256=09CFAA6C47E7914A22D54EAEF7C024EC1B7517F660E6D69669B8A3877D68F22E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:54.104{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27972707CA67596C9424BF7C08A45BFA,SHA256=868650F27145A4F67A975521800731D30B41B77E88E11582C548FF3B6B941A37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:55.836{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA685A7D768FC620592E6E48E839195,SHA256=654069A8A9C2E9EC6E623902A9C95355E10D8C44445A5A5872A2DD655E2FC642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:55.401{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833C464A44BEB515CCB721539B63F4F4,SHA256=908AAA7C59C161ED380C4B2D44EF67D151C8DB015BF6796CC5C322A87A25CE6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:55.633{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3522DC134969E4FA84DCFC3AF66AA1AD,SHA256=A2A1DB4A41334547C35219FDB1606A52327DD77C305EE290E0CCD99270856268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:56.417{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857F13E3FCB3278A2F585DD9BB560C2A,SHA256=B8A630B797831AB06CA41E9C6FB2C6DB7D957021324BD899926895CEED70080E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:49.738{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54134-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150685539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:56.136{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03B5BA46C9A5AA2F6E50D3A093478A63,SHA256=C8E949EE7F5689C9AA63E987621C42165143D25A37943E54CC1DC4DA1EF8F57B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:38.658{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59806-false10.0.1.12-8000- 23542300x8000000000000000150685541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:57.433{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF36854FFE7AC8AB47708614A2C9E11,SHA256=23A0ECCC25C4AF8CFA533A5A75FEA7FA2D7DE6FF6FC83C5807550DA3C97F0671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:57.008{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D2102322F747612EA193790E32F7B9,SHA256=E00C7D7C51D5771FAC878931F129B53A00387DA95975E7F1C1310EFEB0F861AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:58.448{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DFBE4879E62134FBAAAE43E7837978,SHA256=2ED53E180AF5BD7A802B1DC030E115DF728B0B48B8C2C58A91CE23874A8113C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:58.024{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAA8D6CAB3714A22C6DC9A8D1B230B9,SHA256=C83FCB12319FF78D6BDCCF011EB82B7E1B3D7911A46AED165A08FEE5935852D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:59.464{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4524D16D5E40773C38AA528B763E9DE2,SHA256=A0BBB50738EFDE33102A79EA4B4686ABF3A85732D8647ACF35702266920B2605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:59.071{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F6BF12A4DBEB120E061969A5AF36E2,SHA256=517EE1CB5F003782D22C7E4DEE2B1189914CDCE0ECF23AE28BA3C24EE425F983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:00.479{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE55F2098E1427CAA3BCE7AAA09A239,SHA256=0E371811ED7E5A28AB0641617E674D5D2397C9099D8A2AAB97824C0B58161C4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:00.086{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D89FFBCC88ACD7ABC84918BD164E437,SHA256=BB04F7FD3FD46EB3B3EEAAC9206029BB45714DC7E1125918613CD832ABE57A87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:43.767{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59807-false10.0.1.12-8000- 23542300x8000000000000000150685548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:01.495{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E7CAAD91C7524493A4209EE6EFD05E,SHA256=1BF589985CA496C57CD59C188A57BC6B4910498EDF5D3021DA297F1C501FADE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:54.832{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54135-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071087786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:01.586{B81B27B7-4B38-61E8-0B00-00000000CE01}6404196C:\Windows\system32\lsass.exe{B81B27B7-4B35-61E8-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000071087785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:01.117{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4E2612E20AD272B04E5853893C9CB3,SHA256=5EE674B938F9A33967A2662A6FB297C67F4C9863B395BEC6BE77E6D9B8F2649C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:01.214{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18D7B72BDCFB78F88E1BD4732E57A65,SHA256=CD4E893AED201CFEFE4C6ECB066B381EADB9B68272CC0A6322F9ED99857FBBF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:01.214{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C2438FB9C01DD4071B477F928B4FF10,SHA256=C7D86C277529CA458E303C28B3B27CA5029006A8379DCF60BE478F70127AB40C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.823{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.807{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150685565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150685558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.792{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.777{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.604{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18D7B72BDCFB78F88E1BD4732E57A65,SHA256=CD4E893AED201CFEFE4C6ECB066B381EADB9B68272CC0A6322F9ED99857FBBF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:02.511{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927B24EB4A211C8F5DC95E25F9277EE0,SHA256=B65CB06BAAC2753B4F4BD1C7596A115980E88BA60A08E57D600FAE1F6ABFE34D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:02.274{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C317AC569CE4F8F86AAC0909F33A8C,SHA256=0FB34B8781F2ABD8E24A38B7626B373BC8EA305567D5B2416FC139B66E61BA2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.995{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A928804A743C02EB02B24633632EFD44,SHA256=B36CC044853EC4AE5277D7211D42ED28A9E23ED33F489E51688310BB3F8EA9B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.995{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89C51CEF2FEC76D0F733DA1B23F877AA,SHA256=41AD31652AD6E4ABE8BBCDD54A5ECA07C9BA7427C850FDA596FC5247D9656AA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.745{3BF36828-BBEB-61F9-A00D-02000000CF01}1188420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.745{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.745{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000150685655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.161{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59808-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150685654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.161{3BF36828-4B49-61E8-3000-00000000CF01}2408C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59808-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150685653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.156{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98754138-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150685652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.154{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98754137-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150685651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:45.152{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98754136-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 734700x8000000000000000150685650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.526{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.526{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.526{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.526{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.526{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.526{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.526{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 23542300x800000000000000071087792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:03.274{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E90F163598C8F53CDA98CFF29E2F31F,SHA256=854CECEBC641B16A239432D1AA4471B79DBBB1EF14F618F2267208C2E352F236,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.511{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.511{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150685626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.495{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150685614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150685609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.479{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.465{3BF36828-BBEB-61F9-A00D-02000000CF01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150685602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.042{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.042{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:03.042{3BF36828-BBEA-61F9-9F0D-02000000CF01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000071087791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:56.257{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54138-false10.0.1.14-88kerberos 354300x800000000000000071087790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:56.255{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54137-false10.0.1.14-88kerberos 354300x800000000000000071087789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:01:56.253{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54136-false10.0.1.14-445microsoft-ds 23542300x8000000000000000150685662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:04.542{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02024EF919C536DEA7D53BD415CE1E6E,SHA256=BF2275CADA9AC431FC13FB20B6D3C98E17789EEFD021FDE13E1F475B3301A672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:04.321{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E4CC4752D8CB584BB7601062D4EBDF,SHA256=2442E89D24F5F606D678E2C45D7EDABDEE279C3DE5A047759EF00D4475F44483,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:04.026{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E489A666D937663B7F1221C42C2A180A,SHA256=9C174EA2A0459F16B305C772A3AF66433F12F6A12BFF4EF225F6FF0DCB6B425B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:05.558{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408846A8D1D17BDD0B249FC156046B1E,SHA256=16926747F514FA238DFAD8E0FF04C5BE0291B6FDD3CD160A86B535FA7A976117,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:05.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E8F79CE1989EAFB854B8CBD5D50946,SHA256=4A7E76A4D4F64AB1B7EC61577A0F10A4111736C4AB08AC4CB5E02D56C0ADE7B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:06.367{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A98CDD5644D5D141135009208506759,SHA256=BF28E437D861EB28E4D418481888DAA53839E721B0ACD3559E385E96572B1D60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:06.573{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4AD5582FC9A18D6944760B399EF93A,SHA256=3F08180FF69E5714BA4DF418A647B079EBDB14AE3C74AD50FE0897D3E76FDAF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:07.573{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CFD4E8FEE770DE04893FAF88CFD775,SHA256=3073D3A5997F335C662BFDBD2DDA290A22D46DA8298801BDAA390DADFD55817B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:00.801{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54139-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:07.368{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B902E904B4DE88B70003E59AADCE3411,SHA256=A4806A99C309D78DBA51C1EF029DDEA1D6DE687FC13E1C0D68BF51571368362E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:07.229{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51EB9EF362EA4051964477FC7915CEAE,SHA256=584BA4559405E3C2D38EC4FA3908D992BB67307AC52DE9D9DB1B65CF3E689F27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:49.710{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59809-false10.0.1.12-8000- 23542300x8000000000000000150685723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.776{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC6CAABE67F6D35FD64B07286C022D7,SHA256=595102A9A9B2B409E3382E770C77C961780836AABB16B81BA7177040BB58C179,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.761{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.761{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.761{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000071087812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.587{B81B27B7-4B38-61E8-0B00-00000000CE01}6403920C:\Windows\system32\lsass.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.587{B81B27B7-4B38-61E8-0B00-00000000CE01}6403920C:\Windows\system32\lsass.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.572{B81B27B7-4B38-61E8-0B00-00000000CE01}6403920C:\Windows\system32\lsass.exe{B81B27B7-4B35-61E8-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.572{B81B27B7-4B38-61E8-0B00-00000000CE01}6403920C:\Windows\system32\lsass.exe{B81B27B7-4B35-61E8-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000071087808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.572{B81B27B7-4B38-61E8-0B00-00000000CE01}6402716C:\Windows\system32\lsass.exe{B81B27B7-4B35-61E8-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000071087807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.localAlert,Sysinternals Tool UsedSetValue2022-02-01 23:02:08.556{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exeHKU\S-1-5-21-1166625382-1442148322-2337405042-2397\SOFTWARE\Sysinternals\PsExec\EulaAcceptedDWORD (0x00000001) 10341000x800000000000000071087806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.525{B81B27B7-BB14-61F9-4F0D-02000000CE01}50205068C:\Windows\system32\conhost.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.525{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.525{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.525{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.525{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.525{B81B27B7-AECD-61F9-A70B-02000000CE01}2204396C:\Windows\system32\csrss.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.525{B81B27B7-BB14-61F9-4E0D-02000000CE01}24002204C:\Windows\system32\cmd.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.518{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe2.34Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.c.\PsExec64.exe -accepteula \\win-dc-128.attackrange.local cmdC:\Tools\ATTACKRANGE\REED_SCHMIDT{B81B27B7-AECE-61F9-0184-781000000000}0x107884015MediumMD5=18126BE163EB7DF2194BB902C359BA8E,SHA256=A9AFFDCDB398D437E2E1CD9BC1CCF2D101D79FC6D87E95E960E50847A141FAA4,IMPHASH=23EC691D842C955A20A733A38E68ED25{B81B27B7-BB14-61F9-4E0D-02000000CE01}2400C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071087798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:08.384{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC409E142C256EDF8001EB2F8541544F,SHA256=0745A573A72D2B64B9772603E00D6A5E1F14CF25E3E25F99F3B80FF2DA52C4B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.573{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.573{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.573{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.573{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 11241100x8000000000000000150685711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localEXE2022-02-01 23:02:08.557{3BF36828-4B33-61E8-0100-00000000CF01}4SystemC:\Windows\PSEXESVC.exe2022-02-01 23:02:08.557 734700x8000000000000000150685710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150685709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.557{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150685692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150685687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150685684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150685683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150685681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150685678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150685673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.542{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:08.527{3BF36828-BBF0-61F9-A10D-02000000CF01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150685833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.948{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150685832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.948{3BF36828-BBF1-61F9-A30D-02000000CF01}26962628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150685831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.948{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6340AFC3D02AADECCAFC4FC73B18A6C,SHA256=75EA0D03BA5A4A066AFA199F9AF537C9E4444771748B5160F2798A976221BEB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.933{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.933{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150685828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.917{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CFACC53A274DB937E3E11B8F1CB7F7,SHA256=1BF863E7C8B5C54829F0F986134A5527E2BA993259E7E0153AFEA5005774AB95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.918{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBF1-61F9-6C0D-02000000CE01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.918{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.918{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.918{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.918{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.918{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-BBF1-61F9-6C0D-02000000CE01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.918{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBF1-61F9-6C0D-02000000CE01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.903{B81B27B7-BBF1-61F9-6C0D-02000000CE01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.527{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31EB33761A7B476FEF394B757B24A6F8,SHA256=5E2E01D805682933A926439CDC0DCCB19AE5099F2C54D8FDFC475D0819FF4605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.527{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B71360D011323543ECC4A9B41E0EB9C,SHA256=E4B62D9C89C57B025CE9BA0A0F33838176BBCDFBF0E488C6FDDCB00D5F5D1EDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.465{B81B27B7-BBF1-61F9-6B0D-02000000CE01}4452840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071087821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.433{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B4A0C39BA27F4F70EFF78E35F6C3E9,SHA256=B8B33C95E9EEF24AA3AE27AD526BC1921F729D3902AC719DAD69071A2F0C9FE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.761{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150685793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150685786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.746{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.730{3BF36828-BBF1-61F9-A30D-02000000CF01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150685779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:52.144{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98754142-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150685778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:52.140{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98754141-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150685777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:52.140{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98754140-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x8000000000000000150685776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.573{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0996BA87B127F937417CFD342AE279FA,SHA256=34E95B20DA59602D46DEF1F102AD71CD3FC15E9A592FFBFFF28ED417884B6E06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.542{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150685774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.542{3BF36828-BBF1-61F9-A20D-02000000CF01}13205108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.542{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.542{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150685771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.276{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.245{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150685731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.229{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:09.214{3BF36828-BBF1-61F9-A20D-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071087820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.230{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBF1-61F9-6B0D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.230{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.230{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.230{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.230{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.230{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BBF1-61F9-6B0D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.230{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBF1-61F9-6B0D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:09.215{B81B27B7-BBF1-61F9-6B0D-02000000CE01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.948{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A959324C4242AC47165F2752BF5873A0,SHA256=7DC4D0C96E21B7B723A24C8D8DB8045ACF3693BEF63DC2D3DDECFA4A07013978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.907{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31EB33761A7B476FEF394B757B24A6F8,SHA256=5E2E01D805682933A926439CDC0DCCB19AE5099F2C54D8FDFC475D0819FF4605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000071087851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:03.286{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456win-dc-128.attackrange.local0::ffff:10.0.1.14;C:\Tools\PsExec64.exe 10341000x800000000000000071087850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.657{B81B27B7-4B3A-61E8-1F00-00000000CE01}20048C:\Windows\sysmon64.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000071087849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:03.271{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456win-dc-128.attackrange.local0::ffff:10.0.1.14;C:\Tools\PsExec64.exe 10341000x800000000000000071087848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.657{B81B27B7-4B3A-61E8-1F00-00000000CE01}20048C:\Windows\sysmon64.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.610{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBF2-61F9-6D0D-02000000CE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.610{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BBF2-61F9-6D0D-02000000CE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.610{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBF2-61F9-6D0D-02000000CE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.595{B81B27B7-BBF2-61F9-6D0D-02000000CE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.438{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1766E5D39B517AA52BFD818BFB2FB57,SHA256=7FEF24B808FD7D617B39C2D4CB35493D348753649908CDBFE5843F0F0B028439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:52.175{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-98754143-false10.0.1.14win-dc-128.attackrange.local135epmap 734700x8000000000000000150685884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.448{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150685883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.448{3BF36828-BBF2-61F9-A40D-02000000CF01}961920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.448{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.448{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150685880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.292{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150685845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150685840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.276{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:10.261{3BF36828-BBF2-61F9-A40D-02000000CF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071087838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:03.276{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exeATTACKRANGE\REED_SCHMIDTtcptruefalse10.0.1.15win-host-987.attackrange.local54143-false10.0.1.14-135epmap 10341000x800000000000000071087837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.016{B81B27B7-4B3A-61E8-1F00-00000000CE01}20042188C:\Windows\sysmon64.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.016{B81B27B7-4B3A-61E8-1F00-00000000CE01}20042188C:\Windows\sysmon64.exe{B81B27B7-BBF0-61F9-6A0D-02000000CE01}3456C:\Tools\PsExec64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000071087835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:03.244{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54142-false10.0.1.14-445microsoft-ds 354300x800000000000000071087834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:03.241{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54141-false10.0.1.14-445microsoft-ds 354300x800000000000000071087833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:03.240{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54140-false10.0.1.14-445microsoft-ds 23542300x800000000000000071087853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:11.454{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19AC3920EEC673AC8A6369D12445F038,SHA256=1199DC128360837DAFD2C82F2076610D1CA5483D85E2A9128CA55C921F4A250F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:11.573{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-4B33-61E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000150685887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:11.104{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE34BF4D3F16A23E3D8CE0D57B68A1E,SHA256=684019A65B637D6E58A9FEA90A315B5548B5E15AE4C1B743CB9C99A1D421F2DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:12.516{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C13DAE274E49E3AD69D7B8C15A56E4,SHA256=C6D3C94345EB0178FEF7B5779C727E4A28C55375D9457CDD41EE9DD753446EF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:55.147{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59813-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150685896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:55.146{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59813-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150685895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:55.045{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local59812-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000150685894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:55.045{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59812-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000150685893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:55.037{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59811-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150685892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:55.037{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local59811-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150685891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:01:54.814{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59810-false10.0.1.12-8000- 23542300x8000000000000000150685890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:12.261{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0DB33C4354EE1396A3BCDEA8447ACDD,SHA256=B9E14663BB1ADFD139ED1B45C6758B3C74EF263352444351F8B5AFCBA696DE16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:12.042{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7CD5AA619B132A9BE4743ADC54A344,SHA256=9D0E5C85C3D6DD59FCE1BD733E959D05FD2109A8C3B681C55C39278BAA07BB9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:13.516{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412168A0A66944CC1A408046500BF3F6,SHA256=23B1D874F458FF689B5BCAC2416805FD390B4C260FF91277431C9404062D5836,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:13.073{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDBFDC94EFC6D7AB84D4092634497BB,SHA256=C19F2866EF2B7F67C9196DA2B05C6B110CD904BA1A698D40DD53C0A55F116220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:05.872{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54145-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:14.657{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2288D90629ECA282E8870738D8708CA6,SHA256=B8F5814FCD6C77C2BE7C8329B84ABD48F7DAF4534C6A3E9C8754626FC95044CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:14.089{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7FC54B7FC14B644C2B722910F7265C,SHA256=EE07B0B11AFB968BEE20DD7C1868B51FFD8D74B28CDE36AC30A3B98A4C5A95CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:15.688{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05741CF8CE2099A84C741B788C4EA6E,SHA256=A994656B254B710041CB11B64443EB69ADE476ECBE310FF22B7A04DC56ADEE43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:15.104{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70ADD9C1DF658A28B03861C5B16FFAE8,SHA256=7246494FC959368C43A33A8C9AFE1DB75B4DE0B7AA2E1114ECF695D6F9FA9086,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:16.688{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E83E743BD1AD1004453FA7C2CF7C59,SHA256=EDEAEE17D181A931F071F934FBAC56623A1B46649C8FF2C0A9AD705D31A9A6D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:16.120{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015E8BC7A794BDCD73491F6F9165F021,SHA256=E7936CA084D95CC05E271447C5BCDB99245588AA12B6D3DC68101CEDC2417EA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:17.923{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C95895F6B66AA537354446DB3FDECC,SHA256=D39A7590FC19AD760ED62C75C15581EA320C600BA7F94C5BEDB2B59100CBB06E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150685953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.651{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150685952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.636{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150685951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.636{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150685950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150685949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150685948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150685947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150685946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150685945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150685944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150685942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150685941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150685940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150685939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150685938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150685937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.433{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150685936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150685935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150685934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150685933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150685932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150685931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150685930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150685929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150685928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150685927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150685926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150685924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150685923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150685918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150685917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150685916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150685914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150685913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150685910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150685909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.417{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.387{3BF36828-BBF9-61F9-A50D-02000000CF01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150685902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:17.136{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0D1C396F2A697041AAEC37B0144B97,SHA256=696090C424564387F2FA9A9D55285F9353F5F6C7B7A9DBB0E7222176B6656924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:18.923{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E793B75477D97E27AB2F421026869091,SHA256=D0D40AF656F8F780A0DEDCB65891AAC3DC854C3D050D88CA42A731A300A2682A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:18.604{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62ECFD3F39B727304BA30861C2224C7,SHA256=C58C63951AB45125AED6191A945DFEF20D1078AC35D63B8E34BEC571A4ECB31E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:18.604{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C426B5489CEB12C715AC58AE5731E4F4,SHA256=EBC08A98D005118764026E1228A18E994FCA1AC35BEB4B65864E776D375444E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:18.604{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E49889EC68E16A0E48354D2AD73DE80,SHA256=858E26D81E2786E0E1BB462A54EBA432C692C8DDEA072B8AD044D87727B90F50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:10.872{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54146-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150685958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:19.636{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEF176E58B8320299989E26D51028E4,SHA256=742994D01FCFFE368E6BAFBAC2190F7FEFFEFC7C34F8CADDFD65586D32AC0D26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:00.736{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59814-false10.0.1.12-8000- 23542300x8000000000000000150685960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:20.651{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4B29BAD70E1A7CB83BE5C075BCF2E9,SHA256=B1DB6E5E81A6AF172C35363198D91BBC85F04BAD0A83757D44476B2A8136AA3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.845{B81B27B7-BBFC-61F9-6E0D-02000000CE01}8523272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.610{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBFC-61F9-6E0D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.610{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-BBFC-61F9-6E0D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.610{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.610{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBFC-61F9-6E0D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.595{B81B27B7-BBFC-61F9-6E0D-02000000CE01}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:20.079{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09B383357A04F2121678711BEE8CDD2,SHA256=37765709EF7C0DFA9AB12C909B6D81DC88D2415D22DA64F24D1C026B21B6C38C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:20.323{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3C9B8ECB8B67DA18B5149C87E42BCAC7,SHA256=D55EE32B44C4C8E2D316D67EADCA7BEBB4CD3E30A43578070826427E4D354623,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:21.667{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFDDA50D297E0C245F5E07E909922E9,SHA256=244ABAE78A69F0A928EEC3DE81C61326684915CC8F3BB10B2AE34C6169BEAD9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.829{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBFD-61F9-700D-02000000CE01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.829{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.829{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.829{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-BBFD-61F9-700D-02000000CE01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.829{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.829{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.829{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBFD-61F9-700D-02000000CE01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.815{B81B27B7-BBFD-61F9-700D-02000000CE01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.704{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67192D4F09B7B52DF0F7008F5DA8D585,SHA256=88E69A1841C6B273ABAB7C4FD68EBD48CEF458639C4015819852057297147CDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.704{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C778A1996A91C83E8316BA85613DF1D2,SHA256=1D885EB779075CE4F8B860998FA002461E86F1BE2A6A5C6B5803D6B6434FC73D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.548{B81B27B7-BBFD-61F9-6F0D-02000000CE01}18042160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.298{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBFD-61F9-6F0D-02000000CE01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.298{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-BBFD-61F9-6F0D-02000000CE01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.298{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.298{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.298{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.298{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.298{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBFD-61F9-6F0D-02000000CE01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.283{B81B27B7-BBFD-61F9-6F0D-02000000CE01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:21.141{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A9ED6C661588E378F63E9B88ECED9E,SHA256=2C24A887E2D34A4216997DB085E1F7D5D321EA09E83D3F52F721B80BA368973C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:22.682{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104F8F6D96810DEDCF120D2E42040E43,SHA256=39CF2AF30294E378E36D626777EC2CEA55B8D2241F3EDAFB787AD6FC15DBFA5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.860{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67192D4F09B7B52DF0F7008F5DA8D585,SHA256=88E69A1841C6B273ABAB7C4FD68EBD48CEF458639C4015819852057297147CDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.454{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-BBFE-61F9-710D-02000000CE01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.454{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-BBFE-61F9-710D-02000000CE01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071087900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.454{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.454{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.454{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.454{B81B27B7-4B39-61E8-0C00-00000000CE01}736760C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.454{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-BBFE-61F9-710D-02000000CE01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071087895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.440{B81B27B7-BBFE-61F9-710D-02000000CE01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071087894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.235{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F72E8D45F1C79EBEC7C9F9F3F4E914,SHA256=431F9D4ADBB973E2D15DA99301F54D82CCB9E94660E364804DABB3F919471611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.016{B81B27B7-BBFD-61F9-700D-02000000CE01}7004572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150685965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:23.683{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9017F986CB201743F36A807C2BEF1E,SHA256=94B748281BAB7566759BE46C665E953C60B81DAAFA0A978C9118EFCF4B462148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:23.282{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DAD70A0B58D0A0F5439FAE2C96AC2F,SHA256=472FFE0BEA8C96FFF83D84989D0BA474C0A3E34FE62C3D1C6EC6DEB7953E7AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150685964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:23.308{3BF36828-DC58-61EA-604E-00000000CF01}38726132C:\Windows\system32\sihost.exe{3BF36828-4B33-61E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150685963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:23.245{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62ECFD3F39B727304BA30861C2224C7,SHA256=C58C63951AB45125AED6191A945DFEF20D1078AC35D63B8E34BEC571A4ECB31E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:24.698{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8F489516BD12FD5A585A20B2C47110,SHA256=28ABF3A2600B4ECFD076338DBD75A8EC7D14DDAA289EFA7901DECCB352AE3125,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:24.391{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E9BBD7C7B67ED2AF3DFEA9527ECC23,SHA256=B1F298C8D4688C886D509A911D4142A73265153AA66D08A022E731491C96AF12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150685966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:05.814{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59815-false10.0.1.12-8000- 354300x800000000000000071087905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:16.794{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54147-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:25.438{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA257E4948DE4F673DE7B6FFD0DCF49,SHA256=D162CDAFD7ED59C744431B84F2AF515585A2277413BF898739060159540828BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:25.714{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC1C8A382F6048E476CA4532E0DFF03,SHA256=402A5E763860B45D11EEABA9E3FD6A05024823243F824E8066110576C1AFC967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:26.454{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C046F0AB928D5544DA213DC76526D6,SHA256=88A87108EC8C9BD95C6E28B8113EEC81C96F9ACF89AB17B8C3DFD31EC0B8F68A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:26.745{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D024FF286028C263A6FB64614102F2,SHA256=4C7063A5C637D104143A5F883DFA15ECACF4CD2B8E58DF700D3B63E05F29FAC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:27.761{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343E601F396CF6DD147402210A199339,SHA256=CA0C4C3E006298974592732F3B86DAB909C0773E868763E20A7C457ED9F91204,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:27.470{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBF841C54856F3A88E4396348FE60E8,SHA256=B6456BDD184460FAFA102EFAE16C056D0970025EBB64655072EE522C22E72A0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:28.776{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BE529486E952122D9DD113D430DBA3,SHA256=D72BC46205F32EF4483804BB46DE8E0F0024560EC1138F72986DC14681DB854A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:28.516{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71C148D2AFD0002ED93F7A2B792A051,SHA256=2FB62A45CA3EA26EACADF101CF606A8AA58F8D9D60BAB61B3415C26A23FF97A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:29.626{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4084EF05716A4F2F1FFB25A4423E8DA4,SHA256=9B06C5D7A99D2E24129E236D7BE44578119DA906E1D515BA3315A69BDC0CA214,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 17141700x8000000000000000150686022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032\PSEXESVCC:\Windows\PSEXESVC.exe 734700x8000000000000000150686021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000150686020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x8000000000000000150686019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\PSEXESVC.exe2.34PsExec ServiceSysinternals PsExecSysinternalspsexesvc.exeMD5=03F939FDB217649071FA37B5B3DFFF9F,SHA256=684DA0AA8730CB9E28F9DE706811624D8E1AC12397139F0C87DED34BAB21309D,IMPHASH=717400F186B3E5D43C8AB61FB43BF595trueMicrosoft CorporationValid 10341000x8000000000000000150686018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-4B37-61E8-0A00-00000000CF01}6244596C:\Windows\system32\services.exe{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150686017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150686016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150686015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150686014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150686013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150686012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150686011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x8000000000000000150686010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150686009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.651{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150686008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150686007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150686006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150686005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000150686004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150686003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150686002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150686001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150686000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000150685999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150685998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150685997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150685996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150685995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150685994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150685993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000150685992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150685991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000150685990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150685989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150685988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150685987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150685985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150685982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.636{3BF36828-4B37-61E8-0A00-00000000CF01}6243512C:\Windows\system32\services.exe{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+4b028|C:\Windows\System32\RPCRT4.dll+4b38d|C:\Windows\System32\RPCRT4.dll+4d7b0|C:\Windows\System32\RPCRT4.dll+5818b|C:\Windows\System32\RPCRT4.dll+57fb9|C:\Windows\System32\KERNELBASE.dll+5f130|C:\Windows\SYSTEM32\ntdll.dll+3acc8|C:\Windows\SYSTEM32\ntdll.dll+1eccd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150685981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.614{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exe2.34PsExec ServiceSysinternals PsExecSysinternalspsexesvc.exeC:\Windows\PSEXESVC.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=03F939FDB217649071FA37B5B3DFFF9F,SHA256=684DA0AA8730CB9E28F9DE706811624D8E1AC12397139F0C87DED34BAB21309D,IMPHASH=717400F186B3E5D43C8AB61FB43BF595{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x8000000000000000150685980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:02:29.604{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectNameLocalSystem 13241300x8000000000000000150685979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:02:29.604{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\DisplayNamePSEXESVC 13241300x8000000000000000150685978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2022-02-01 23:02:29.604{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\ImagePath%%SystemRoot%%\PSEXESVC.exe 13241300x8000000000000000150685977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:02:29.604{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\ErrorControlDWORD (0x00000000) 13241300x8000000000000000150685976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2022-02-01 23:02:29.604{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\StartDWORD (0x00000003) 13241300x8000000000000000150685975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:02:29.604{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\TypeDWORD (0x00000010) 354300x8000000000000000150685974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:11.658{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59816-false10.0.1.12-8000- 23542300x8000000000000000150685973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.120{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EE38C1DEFB7D1AE72D38BFFBAE0793,SHA256=4256C1C523CAAFD47EFE28F92E637AC4CDD8912D3C69DE76AC0C248FA20D2228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150685972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:29.120{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22F253B7D5B43775F0E891975090C5F1,SHA256=F7E00A79330369316482EB86BD1F844C0BD6875A02D473B8E8763F571B3C78E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:30.782{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459ABBA448352BC4CFDC55A8D22F6967,SHA256=145BE16092B0F6DA5C3254BFFCBFB1C5EC99C995AE54E48EEC12220B2023ECA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:30.682{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EE38C1DEFB7D1AE72D38BFFBAE0793,SHA256=4256C1C523CAAFD47EFE28F92E637AC4CDD8912D3C69DE76AC0C248FA20D2228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:30.667{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3B9A7590626DAAD217487D47A2B990F5,SHA256=9CE3E2C6C23C40B60F27CA5E40A31BB0F9186C3996296ACDF264C765DA5B2D60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:30.667{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C9B6FBF068F47A4936F49410B099842F,SHA256=17C8A366704120CC6B886A5915738B19B8DFDD406000AC562AB8E81716216871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:30.276{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48DFE0F64046BD0D2A5D53AA53A7AD2,SHA256=F770A76667CD8DBF1DE645C07D3E6D361EE1633C2FBDC5A31A8863EEA40B5261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:22.700{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54148-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:31.860{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD388D3EEFD3EB9A33ADE3B19CE6B33,SHA256=AF6687920A8A3791017B4136A7F5D5F9F0BB7FB465A8CE95BCFC89D69D2789B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:31.370{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFFFC9FEDBD1A58302A1A9EE29197AE,SHA256=6026221E9B6B19CFD0EDE04EAED56938973328DCAEB4F4F97826275DC297FB24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:32.891{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344B111BF98786FE014913907EDB115C,SHA256=3D37895BC2B817F37097ED658AB1801484ECCC595FDCD43A2FBAE00544E05499,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:32.401{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348D5C7FAC31345A8C094BFDD9EFB242,SHA256=DFD59BE2E5AA20AB39E50E7D24EE216DC343BE702F4D97DA54A787FE4A5FE57F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:32.276{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=798C130DD11FDF28BEA571E089FCD19C,SHA256=80B713DF53A20B38490B3059B06E36858BD067DD6839965EAF88BAD1B2ED1A62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:33.907{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E451A07ACF64E79EC745583B9528444,SHA256=383850026BF57D9638DE3CCBDAE3202DB0D0C5DAEFA5A51CA2B2043980CDA2AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150686103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150686102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150686101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150686100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150686099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150686098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150686097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150686096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150686095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150686094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150686093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150686092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150686091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150686090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150686089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150686088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150686087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000150686086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150686085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.979{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150686084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.948{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\shacctprofile.dll10.0.14393.0 (rs1_release.160715-1616)Shell Accounts Profile ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacctprofile.dllMD5=5FD61CBBA92898CF722A96C6565FDCE3,SHA256=B08D8E9C47A62A748937BB6975DEEE85E5C55F634A4214F46CC5F75D41CD2211,IMPHASH=2C71174EBC4002AB876F4E6F44B03785trueMicrosoft WindowsValid 18141800x8000000000000000150686083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 23:02:33.948{3BF36828-4B33-61E8-0100-00000000CF01}4\PSEXESVC-WIN-HOST-987-3456-stderrSystem 18141800x8000000000000000150686082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 23:02:33.948{3BF36828-4B33-61E8-0100-00000000CF01}4\PSEXESVC-WIN-HOST-987-3456-stdoutSystem 18141800x8000000000000000150686081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 23:02:33.948{3BF36828-4B33-61E8-0100-00000000CF01}4\PSEXESVC-WIN-HOST-987-3456-stdinSystem 17141700x8000000000000000150686080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032\PSEXESVC-WIN-HOST-987-3456-stderrC:\Windows\PSEXESVC.exe 17141700x8000000000000000150686079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032\PSEXESVC-WIN-HOST-987-3456-stdoutC:\Windows\PSEXESVC.exe 17141700x8000000000000000150686078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032\PSEXESVC-WIN-HOST-987-3456-stdinC:\Windows\PSEXESVC.exe 734700x8000000000000000150686077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000150686076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.932{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.932{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150686074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150686073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150686072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150686071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.932{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x8000000000000000150686070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.917{3BF36828-BC05-61F9-A60D-02000000CF01}2032NT AUTHORITY\SYSTEMC:\Windows\PSEXESVC.exeC:\Windows\PSEXEC-WIN-HOST-987-2109D23B.keyMD5=8DB0EC44A14B7800D52B2B4338A8517D,SHA256=791AD4D058F2F788A1BD9C330F47E12D26C6490DE63778AD856908B3077183E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150686069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.917{3BF36828-DC58-61EA-604E-00000000CF01}38726132C:\Windows\system32\sihost.exe{3BF36828-4B33-61E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.917{3BF36828-DC58-61EA-604E-00000000CF01}38726132C:\Windows\system32\sihost.exe{3BF36828-4B33-61E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+16625|C:\Windows\System32\modernexecserver.dll+48db6|C:\Windows\System32\modernexecserver.dll+34515|C:\Windows\System32\modernexecserver.dll+33e62|C:\Windows\System32\modernexecserver.dll+33ce9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000150686067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2022-02-01 23:02:33.917{3BF36828-4B33-61E8-0100-00000000CF01}4\PSEXESVCSystem 10341000x8000000000000000150686066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.714{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150686032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:14.830{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59817-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150686031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:14.830{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59817-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150686030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.417{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566F974CFC46907BD56EE9DD9AF933E9,SHA256=F632B07DD215B55F224E5464BFAA0172A89D983CC033548CC3873D60851588C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150686158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:16.767{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59818-false10.0.1.12-8000- 23542300x8000000000000000150686157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.448{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB62F11EF7410F11F826874EA5879E1C,SHA256=361AE68BE19F55DD79D0B025E2C19370ADB0ED65F66BCBEF6633CCC6AE9BEF53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:27.825{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54149-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150686156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.229{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8F366DE766EE9EA68B37E1FB546AD5C,SHA256=D5A48FF7765B7048A630ED4622071E7C27F7FD3788C0C4A7F297962C7A9BBF0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.104{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D061A45D22D25E33E5D4B2C3B8CF8388,SHA256=F56AD218D68E2B9F488EAEEBC68E3386F001EA056BD0A00EA58016C5731687CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150686154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exeC:\Windows\System32\winbrand.dll10.0.14393.2515 (rs1_release_1.180830-1044)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=CDA73668510FF0BA02967236A857CE7B,SHA256=24ADC4950116C2E3994450465B305D469B78F687EAADCBC167A8C4ECD4907306,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x8000000000000000150686153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150686152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150686151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150686150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 23542300x8000000000000000150686149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6D5F2ED6A4BDE78B5C1968E549CC85,SHA256=8856E7C6E717BA50B4D6D827FD428F4A22BE7BFA47AB61D863255DCC5F2454F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150686148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150686147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150686146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150686145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150686144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000150686143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.042{3BF36828-BC0A-61F9-A90D-02000000CF01}19364672C:\Windows\system32\conhost.exe{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150686142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150686141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150686140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000150686139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150686138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150686137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150686136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150686135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150686134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150686133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150686132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150686131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150686130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150686129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150686128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4402 (rs1_release.210426-1725)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=EBEFEF1FE2B0D6FF2595203DADE100C9,SHA256=70F4BB4198467DA8E2FD7AF475536B3F2FD1B3E56CEE7E376D0303C149C449F9,IMPHASH=49A59B06FE5B10F21E36B588430BFDB3trueMicrosoft WindowsValid 734700x8000000000000000150686127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150686126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150686125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150686124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150686123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150686122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A90D-02000000CF01}1936C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x8000000000000000150686121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.026{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150686120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150686119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150686118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000150686117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150686112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-BC05-61F9-A60D-02000000CF01}20325248C:\Windows\PSEXESVC.exe{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\PSEXESVC.exe+767d|C:\Windows\PSEXESVC.exe+7917|C:\Windows\PSEXESVC.exe+68ad|C:\Windows\PSEXESVC.exe+31f91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150686111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.018{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd" C:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-BBE9-61F9-1CA4-521300000000}0x1352a41c0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3BF36828-BC05-61F9-A60D-02000000CF01}2032C:\Windows\PSEXESVC.exeC:\Windows\PSEXESVC.exe 10341000x8000000000000000150686110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:34.011{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150686109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x8000000000000000150686108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 734700x8000000000000000150686107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150686106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000150686105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150686104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.995{3BF36828-BC09-61F9-A70D-02000000CF01}3304C:\Windows\System32\dllhost.exeC:\Windows\System32\IDStore.dll10.0.14393.4169 (rs1_release.210107-1130)Identity StoreMicrosoft® Windows® Operating SystemMicrosoft CorporationIdStore.dllMD5=C361C32146F8C2E67168CFC076DBBF55,SHA256=D27DC85DE98B5C85AAAEEE1FC2EBE0F92B53F82F35F0AC6A49ADAE83456C0740,IMPHASH=E5FDBED6A52D2B5010634A77EC08AD4DtrueMicrosoft WindowsValid 23542300x8000000000000000150686160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:35.479{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BB551069A9FB1EB7A8CB425E374D01,SHA256=46EB23A18389C011ABEC7F1A60EE5B1323B8EA57E5E38C2DC3A06C6F5B2A6282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:35.126{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4199C44368BE54001BDEDD73704712,SHA256=1B4C4B8DBFCD8D984639B6C9819017A590414B4AF8B32CE1A57293E6A070A21F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:35.042{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3B9A7590626DAAD217487D47A2B990F5,SHA256=9CE3E2C6C23C40B60F27CA5E40A31BB0F9186C3996296ACDF264C765DA5B2D60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:36.495{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F6B7C17D47C8416518917841B5C451,SHA256=6947E800ACABF8B87FE26078DE8511C0FE83787E9E7892F0CE50917A47D142E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:36.141{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D4B41DD3F297F70DF90230D783D850,SHA256=EE4C8B9F279C7B123EC0853546CEEC1A668ED8150EF46C78CF711C9CB4D56E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:37.360{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B854D033EEE0EF30FA5F008C7091FE,SHA256=13AC1CA2EB796E8CB273DA7335C514D464C734E66526ECD8D87A5BF8D6599460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:37.495{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0639A614C6E763358D3F10D354733B76,SHA256=6A71BC45B575EF0482107A2E8064B83DC0424B745E1B7CAF674594C087D38BE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:38.542{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DAE1DF9252622923271EAE306360E99,SHA256=696F5267B56D3E70FBB041A4A9F180ED6FC5ECB0F01908F3F16D8BC4A6CB0504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:38.391{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA0301016B91F382188C36E01FDD0E8,SHA256=2BCD2E94D20098B1118B296CDBD8D268D6FB993CF195D726E0E7A4CE44C6881D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.761{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264DB6769BB2A5CA25955E35638BCDCD,SHA256=F18624FA066DB0E8A1E400D9392870DD2860AF20CCDB5E5ED65C333955E8FBEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:39.438{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E668A71F83A096BC91A09089430BF77B,SHA256=8C66D75486EF4F36A5BAC0FC4ACC03470A7558C7AB9598DCDD66DAAD10BA7220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150686194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0,IMPHASH=720B221BA6A01692F2370B4CCC197970trueMicrosoft WindowsValid 734700x8000000000000000150686193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9trueMicrosoft WindowsValid 734700x8000000000000000150686192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150686191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150686190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000150686189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150686188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150686187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150686186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150686185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150686184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150686183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150686182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.104{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150686181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150686180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150686179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150686178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150686177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150686176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150686175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150686174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0A-61F9-A90D-02000000CF01}19364672C:\Windows\system32\conhost.exe{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150686173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150686172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150686171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150686170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-4B39-61E8-0C00-00000000CF01}840208C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150686166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150686165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.089{3BF36828-BC0A-61F9-A80D-02000000CF01}56846116C:\Windows\system32\cmd.exe{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150686164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:39.095{3BF36828-BC0F-61F9-AA0D-02000000CF01}5804C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exewhoamiC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-BBE9-61F9-1CA4-521300000000}0x1352a41c0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{3BF36828-BC0A-61F9-A80D-02000000CF01}5684C:\Windows\System32\cmd.exe"cmd" 354300x8000000000000000150686203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:22.675{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59819-false10.0.1.12-8000- 23542300x8000000000000000150686202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:40.776{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE7CEF3FC484A8DD9C91E5C8D5685ED,SHA256=BCD9164DEAE944BC8219E858636CC358212E9206DF2D94D91CED7D82981901DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071087956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-2100-00000000CE01}1076C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED0-61F9-B70B-02000000CE01}3740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED1-61F9-B90B-02000000CE01}716C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071087925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.735{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-AED2-61F9-BA0B-02000000CE01}2404C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000071087924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:32.887{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54150-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.516{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B6554C4E7C774377DDA3BEDA5CA3FF,SHA256=2BA8D65E36901C6CC64147E5BB4A0DAA0426835CCFAC24F190AFFDBE52EC160D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:40.745{3BF36828-4B33-61E8-0100-00000000CF01}4NT AUTHORITY\SYSTEMSystemC:\Windows\PSEXESVC.exeMD5=03F939FDB217649071FA37B5B3DFFF9F,SHA256=684DA0AA8730CB9E28F9DE706811624D8E1AC12397139F0C87DED34BAB21309D,IMPHASH=717400F186B3E5D43C8AB61FB43BF595truefalse - insufficient disk space 12241200x8000000000000000150686200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-DeleteKey2022-02-01 23:02:40.729{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC 13241300x8000000000000000150686199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2022-02-01 23:02:40.729{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\StartDWORD (0x00000004) 13241300x8000000000000000150686198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 23:02:40.729{3BF36828-4B37-61E8-0A00-00000000CF01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PSEXESVC\DeleteFlagDWORD (0x00000001) 23542300x8000000000000000150686197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:40.026{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DDBD529F6341E275E24106AC0A7047B,SHA256=B7FD34A00874DC4A93A64155CFFF55BAAD2BCA49481AF477AECA997B636890D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:40.026{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08D2434BB3F229890D3175642373A6BA,SHA256=FACA214ED83C4F249F4D5F42792E7613CB2992CE1720EF1CDFB1887DCA734FD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:41.792{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C17D8C6DB6075E23F80977CD733B57A,SHA256=0692C74E7427B31A8D6566470CDC0D575CDEA7412477BF1B8BE4CD6941093FBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:41.798{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=270A6641B75DE8E9DAB19E15899341EA,SHA256=93007573CE6BBF6B05C1DB45B5BC3D44071E60B6C581A479502CE5FB15A70FDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:41.798{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F022091EE03587D91BAB6BA721C0F5,SHA256=24E448961E6B5F9B784A2DFF4ED44D91B54C8A7468C3CBBE2C71FE4896C19316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:41.798{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA8FA13E71853ECCDEEC94C9772E6E1A,SHA256=A8135ECF40DC3CA0AA645FD8347784266DDBB7072C2A4A9A2B3E103ECEDE310D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:41.745{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2339490EEFD2BA3D2AFCBA1C7B731588,SHA256=91D5649FDA5613B83208F5EC2AE4D5E1DE3A39E696A31A588F6DA6B24E28E1A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:41.745{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AA3CDF06AAF2060B5A70CF1978EDC181,SHA256=656FFFFD3C177E4437BE6C971537F80CD2A01955ABEDC65BD76362D0C91DB3F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:41.729{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DDBD529F6341E275E24106AC0A7047B,SHA256=B7FD34A00874DC4A93A64155CFFF55BAAD2BCA49481AF477AECA997B636890D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:42.823{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B1721B5EF8DFD070D3E3790FAC5230,SHA256=DE1DF0D3096FB38B845D697C43314A1EAECD56A4F12A309D4EB4B7B5B41E15E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:42.813{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6166DF5A01C2CD179AF5C205BD7D783E,SHA256=EFC8538977F365FE1FCCF978A2DF0E610251DABDF3A78C3CB244D82C25DF336A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:43.854{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6018247FBC7D7905886AA4856F979204,SHA256=A80AE71EDEEC8B2A9C50C58012347306317BB9A53D0C0BD0FC38C56AC1D6481F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:43.845{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE8CE1E4E6BAD76FC42C7DDAE49524,SHA256=9D487330A05B8E1CB90C4BED95C94261DF6A83B68362BE03D18BA9C6E75125B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:44.845{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4957F026EAA6D8E68A431FE9F726BF12,SHA256=BEDB6E81B012DAAACA1729148497263CA36C3B329627C93320BF4B1EAEC0BDC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:44.901{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFCEF10527778DE850E28752EDBACCD,SHA256=455DF398E0B256AD4B248C7118B139BF6BEE9C6827D94960D0F46B4EE3B2E4F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:45.901{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACC1AB4FDBA30BC7EF4EF67717DBDBF,SHA256=875C1AD1F4B77FE84EA914E68C7C5450D8745DDD273E3151A66195A43619D36D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:45.907{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7944B72A7550416D5F9EF75609D56CF1,SHA256=31905FE8B53CBB413D124BB014E1CEF98B096BF7D65C3DB5F32426D406452B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150686212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:27.829{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59820-false10.0.1.12-8000- 23542300x8000000000000000150686211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:45.292{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E6D4C5A8542FCC8A77F65E76FC0C7A5,SHA256=2F58BB5E43838EAFF37BB03E2135271C7A18D41DB5BB20778FD578F3FBB6C8C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:46.917{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DE952AFF1CD7C306FE9EA273DC4BE7,SHA256=017650C43F886569E1DE28F00D6D672FD4C97903CF1D67E6A89A5103C6B629C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:46.907{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB3A3022298D5BD1B6FC994EA5D928E,SHA256=09510EF2E77FB074ECB3C08EDC2B5BE4B725DAD58615692B03EE5E067308297A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:38.762{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54151-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:46.220{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:47.918{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BBB255BA40D5A9E260982FA35FECA5,SHA256=6377034DF125B403262217FAAB903E0EE4E989C4384BD5D361877FE2DD9B1298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:40.872{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54152-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000150686216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:48.947{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DD0F88FB1BE33D0D46719DFD8DDE8F,SHA256=739449F9011889A80603BD2548512A9C94C80C810E7DDD2313C630B812C3FB43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:48.110{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD2DE9BEFFFE5A6A939F3D7A71B36FD,SHA256=D43279B5244E6BC924DDC4501CFF7359AC58A6DCF5C3566D1749427164AEBD7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:49.951{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF3BEFB93EBE34C072C855680B463EF,SHA256=A819B7FD72AEED45052BC6EC8B8364AE1354577CD7552B521FF052E315856EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:49.157{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA67EC3D90AF79535E926EE7C7FDA7ED,SHA256=F3AD328AF4C2B22C530897E8C463C971A231DD18B0CBECEC4F41EC111412FF43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:50.982{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28189B226FB363BBEF70C3A2A343A8DD,SHA256=D806E45BB332EF236230C76CD3115C0A17CC48CAC60D278EE28AACC3752843A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071087971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:43.809{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local54153-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071087970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:50.346{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13032E0E0DF2F54C7181D04F7571D92D,SHA256=D635A061D56502FCEA49F2BF87458AE8C69FF49B99300F04CEBEB85C0F9C0251,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071087972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 23:02:51.596{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEFB604593C2DE9B12FC56074895EE3,SHA256=0C015C4CE461C78B074B27D9E35AA5A5CF3E1B0DDF259D98D4902456CBC2F8F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:51.232{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A2726758450F11CB1EB07508931BF96,SHA256=C8C870BD96C3C9990DB0711221C5F32C26EDBD9C170BD59C76B15F88AC0F689E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150686219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:51.232{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A4A11EF8E5BA89E4F76DA031E88548F,SHA256=9AEAD34B4C24A7872DFA2F80B1FDE46EDDED98E7B080200B84A8583AF3B5D2F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150686222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:33.753{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local59821-false10.0.1.12-8000- 23542300x8000000000000000150686221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 23:02:52.013{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2631414FB075CA0B7EBB2DB2C4D0E53,SHA256=7F97ADF53999AC6196851FFD2E515447AA3EA2ACF458C31D8B1DF00D3397BCF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space